French data protection regulator fines Google and Facebook for making it harder to refuse cookies than to accept them

January 11, 2022

CNIL, the French data protection regulator, has issued fines to Google and Facebook for making it harder to refuse cookies than to accept them.  The restricted committee of the CNIL, which issues sanctions, noted that, following investigations, the websites, and offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other mechanism) enabling the website user to easily refuse the use of these cookies. Several clicks are required to refuse all cookies, in contrast to a single one to accept them.

The restricted committee considered that this process affects the freedom of consent. This is because, on the Internet, the user expects to be able to quickly consult a website.  The fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favour of consent. This constitutes an infringement of Article 82 of the French Data Protection Act. 

As a result of this infringement, the CNIL’s restricted committee imposed:

  • a fine of 150 million euros on Google (90 million euros for Google LLC and 60 million euros for Google Ireland Limited);
  • a fine of 60 million euros on Facebook Ireland Limited..

In addition to the fines, the restricted committee ordered the companies to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them to guarantee their freedom of consent. If the companies fail to do so within three months, they will be required to pay a penalty of 100,000 euros per day of delay.

These two decisions are part of the global compliance strategy initiated by the CNIL over the past two years. They say that French and foreign websites attract many visits but have practices contrary to the legislation on cookies.

Since March 31, 2021, when the CNIL’s deadline set for websites and mobile applications to comply with the new rules on cookies expired, the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.

Update 13/01/2022

This is an interesting case as it is has been brought under the French implementing legislation under the E-Privacy Directive, rather than the GDPR. This means that the one-stop shop does not apply and the French regulator has jurisdiction. If the matter were dealt with under the GDPR, the Irish DPC would have jurisdiction under the one stop shop. Google is now appealing the fine and seeking to have the fine annulled on the grounds that the French CNIL was not competent and should have given the case to the Irish regulator (presumably because they think the Irish regulator would be more lenient and the limit on fines in Ireland under the E-privacy Directive is considerably lower than in France). It remains to be seen whether there is any mileage in Google’s argument.