faithie - stock.adobe.com
French data protection watchdog CNIL (Commission Nationale de l’Informatique et des Libertés) is to fine Facebook €60m (£50m/$68m) and Google €150m (£170m/$203m) over breaches of data law, after an investigation found that Facebook.com, Google.fr and YouTube.com had made the process of refusing cookies harder than the process of accepting them.
CNIL said its restricted committee – the body responsible for issuing sanctions – noted that all three websites offered a button allowing users to immediately accept cookies, but did not provide an equivalent solution allowing them to easily refuse them. “Several clicks are required to refuse all cookies, against a single one to accept them,” said CNIL.
“The restricted committee considered that this process affects the freedom of consent. Since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favour of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.”
CNIL said that by making the refusal mechanism more complex, Facebook and Google discourage users from refusing cookies and encourage them to opt for the ease of clicking on the consent button instead, which denies users freedom of consent.
As a result of this, both Facebook – legally, Facebook Ireland – and Google now have three months to implement a solution that gives users located in France a means of refusing cookies that is as simple as the means of accepting them, with penalties of €100,000 a day added on if this deadline is missed.
Read more about cookies
- In September 2021, the UK’s outgoing information commissioner, Elizabeth Denham, called on her equivalents across the G7 group of countries to collaborate on an overhaul of cookie consent pop-ups.
- Marketers need to revisit their marketing strategies now before third-party cookies disappear for ever. Here’s what you need to know.
The judgments form part of an ongoing two-year campaign by CNIL targeting websites that contravene the relevant sections of France’s law on cookies.
It has issued nearly 100 orders and sanctions related to non-compliance on cookies since March 2021 to various organisations, including public sector bodies and political parties. One of the more significant of these notices was issued to newspaper publisher Societe du Figaro, which was fined €50,000 for failing to ensure it had obtained consent from users to allow advertising cookies to be placed on their devices.
A spokesperson for Facebook parent Meta said: “We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
The organisation has been working behind the scenes to evolve its data protection practices in line with guidance being implemented around the world, and last year made changes to its cookie consent flows for users in Europe.
A Google spokesperson said: “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in the light of this decision under the ePrivacy Directive.”