France fines Facebook and Google over alleged cookie malpractice

French data protection watchdog CNIL (Commission Nationale de l’Informatique et des Libertés) is to fine Facebook €60m (£50m/$68m) and Google €150m (£170m/$203m) over breaches of data law, after an investigation found that Facebook.com, Google.fr and YouTube.com had made the process of refusing cookies harder than the process of accepting them.

CNIL said its restricted committee – the body responsible for issuing sanctions – noted that all three websites offered a button allowing users to immediately accept cookies, but did not provide an equivalent solution allowing them to easily refuse them. “Several clicks are required to refuse all cookies, against a single one to accept them,” said CNIL.

“The restricted committee considered that this process affects the freedom of consent. Since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favour of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.”

CNIL said that by making the refusal mechanism more complex, Facebook and Google discourage users from refusing cookies and encourage them to opt for the ease of clicking on the consent button instead, which denies users freedom of consent.

It also considers that Facebook has failed to provide clear information because in order to refuse cookies, users must first click on a button called “accept cookies”. It said this generates confusion and gives users the impression that it is not possible to refuse cookies.

In the case of Google, CNIL noted that it had already drawn the company’s attention to the breach of the Data Protection Act in February 2021, and communicated to it on numerous occasions that it should be as easy to refuse cookies as it is to accept them.

As a result of this, both Facebook – legally, Facebook Ireland – and Google now have three months to implement a solution that gives users located in France a means of refusing cookies that is as simple as the means of accepting them, with penalties of €100,000 a day added on if this deadline is missed.

The judgments form part of an ongoing two-year campaign by CNIL targeting websites that contravene the relevant sections of France’s law on cookies.

It has issued nearly 100 orders and sanctions related to non-compliance on cookies since March 2021 to various organisations, including public sector bodies and political parties. One of the more significant of these notices was issued to newspaper publisher Societe du Figaro, which was fined €50,000 for failing to ensure it had obtained consent from users to allow advertising cookies to be placed on their devices.

A spokesperson for Facebook parent Meta said: “We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

The organisation has been working behind the scenes to evolve its data protection practices in line with guidance being implemented around the world, and last year made changes to its cookie consent flows for users in Europe.

A Google spokesperson said: “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in the light of this decision under the ePrivacy Directive.”