Google and Facebook have been fined €150 million and €60 million, respectively, by the French privacy watchdog. Both companies allegedly make it too difficult for users to refuse tracking cookies.
The CNIL recently published two decisions in which it fined Facebook Ireland Limited and Google LLC and Google Ireland Limited for failing to comply with cookie laws. The platforms have three months to adjust their practices. If they fail to do so, they will receive a fine of €100,000 for each day the violation continues, effective April 1.
Tracking cookies (also called marketing cookies) are small pieces of code that collect the behavior of website visitors. The data thus obtained is used to create a profile of the website visitor. With the data this generates, advertising companies gain insight into which advertising can best be shown to a particular user.
You can read more about cookies here and here .
According to European privacy laws, Internet users must first give explicit consent for the use of these cookies. In this regard, CNIL cites Article 82 of the French Data Protection Act - a law implementing the European e-Privacy Directive - and emphasizes that this consent must be free. According to the CNIL, this is only the case when accepting cookies is as easy as refusing them.
This was not the case with Google and Facebook. While the cookie banners offered the possibility to accept all cookies with 1 click, they did not provide an equivalent solution to refuse all cookies at once. Users who want to refuse must go through several steps: for Google five and for Facebook at least three clicks. This affects the freedom with which users consent. In effect, this makes consent steered.
Article 7(3) of the General Data Protection Regulation (AVG) also mentions as a condition for obtaining consent, that withdrawing it should be as easy as giving it. As mentioned, cookies are also subject to the e-Privacy Directive and, finally, in the Netherlands we have the Cookie Law, as part of the Telecom Act.
In doing so, the French privacy watchdog is handing out its highest fine to date. CNIL has been strictly enforcing cookies for a year or two and is the first European authority to impose fines so explicitly for directed consent. Where cookies are concerned, France is leading the way. It is therefore to be expected that regulators from other member states, such as the Personal Data Authority, will also follow these developments closely and possibly adjust their policies accordingly.
