The French Data Protection Authority (the “CNIL”) continues its campaign against companies that do not respect the rules relating to cookies and other trackers, which the CNIL has previously reminded the market about in multiple communications and decisions.
The CNIL has already issued four sets of formal notices to over 90 organizations of various sizes for non-compliance with the rules. It has now imposed high sanctions against Google Ireland Limited and Google LLC (collectively Google)[1] and Facebook Ireland Limited (Facebook)[2] for their practices regarding cookies. Specifically, Google was fined 150 million euros on 31 December 2021 and Facebook was fined 60 million euros on 30 December 2021 for not allowing users of their services to refuse cookies as easily as they were able to accept them.
The following points of the CNIL’s concerns about both Google and Facebook’s use of cookies and the choices offered to their users should be noted:
Non-compliance if rejecting cookies is too confusing or difficult. The CNIL considers that making the mechanism for refusing cookies more complex than the one for accepting them discourages users from refusing cookies and encourages them to prefer the ease of the “I accept” button. This is contrary to the provisions of Article 82 of the French Data Protection Act (“FDA”)), which implements the Privacy and Electronic Communications Directive 2002/58/EC (“ePrivacy Directive”).
The CNIL’s reasoning is not new and is based on the provisions contained in its Guidelines[3] on the application of Article 82 of the FDA relating to read and/or write operations on a user’s terminal and in its Practical Recommendation[4] proposing practical steps to comply when using cookies and other tracers dated September 17, 2020.
In these two decisions, the CNIL criticises the confusion generated by the methods available to the user: in Google’s case, the refusal mechanism is discouraging and encourages acceptance, while in Facebook’s case, the information presented to users is contradictory (i.e. a button labelled ”accept cookies” is displayed for the users to confirm their choices at the bottom of the same page on which users are given the choice to enable/disable each cookie used individually, even where the user has chosen to disable all cookies). The CNIL considers that because the information Facebook provides to its users is contradictory, this is in breach of the relevant rules even where no cookie has actually been placed on the user’s terminal.
CNIL’s role to issue practical illustrations under GDPR. Google and Facebook both argued that Art 82 of the FDA does not specifically refer to the simple acceptance and refusal mechanism referred to above and criticized the CNIL for introducing new requirements relating to the refusal of consent.
In response, the CNIL noted its power under Article 8(I)(2)(b) of the FDA to publish binding guidelines and recommendations in relation to companies’ compliance with the relevant requirements. It argued that, in such guidelines and recommendations, the CNIL merely illustrates how Article 82 of the FDA should be applied and does not create new requirements, instead just clarifying how the consent requirements in the GDPR are to be applied in the context of cookies.
High sanctions. In determining the amount of fines (maximum 2% of the total annual worldwide turnover of the previous financial year achieved by the data controller), the CNIL is consistent in these two decisions and applied the criteria of article 83 of the GDPR (notably, nature, duration and seriousness of the breach, deliberate intention, correction actions implemented, cooperation with the authority, etc.), as incorporated into Article 20(III) of the FDA. The decisions note that the CNIL is not obliged to specify the calculation formula used to determine how the proposed fines are calculated and are minded not to in order to maintain the dissuasive effect of their fines. However, even though the breach relates to laws stemming from the ePrivacy Directive, the CNIL has taken into account the above-mentioned GDPR Article 83(1) criteria on a case by case basis in order to impose proportionate fines.
CNIL jurisdiction via ePrivacy Directive. In both decisions, the CNIL considers that the GDPR one-stop shop principle does not apply in relation to the ePrivacy Directive (as transposed within Article 82 of the FDA). For this reason, it considers it is entitled to control and, in the event of non-compliance, may sanction companies that place cookies on the terminals of Internet users located in France. It also considers that it has jurisdiction insofar as the processing activities concerned are carried out in the context of the activities of establishments on French territory of the data controllers in accordance with Article 3(1) of the GDPR.
| Summary | ||
| Google LLC
Google Ireland Limited |
Facebook Ireland Limited | |
| Origin of the CNIL’s control | User complaints | User complaints |
| Breach of the DPA | One click to accept cookies: “I accept” button
versus several clicks needed (at least 5 actions) to refuse them: button “Personalize” sending back to a page of choice to “activate or deactivate” the cookies, then “confirm |
One click to accept cookies: “Accept all” button versus several clicks needed (at least 3 actions) to refuse them: “Manage data settings” button leading to a choice page to “enable or disable” (disable, by default) cookies, then “Accept cookies” (even if no option is enabled)
It is emphasized that it is counterintuitive to click on an “Accept Cookies” button to refuse cookies. |
| Sanctions
(administrative fine and correction order) |
Google LLC : EUR 90 millions
Google LLC (a US company) was fined because it has significant influence over the bodies deciding on the deployment of Google products in Europe and the processing of personal data of Europeans. Google Ireland Limited : EUR 60 million = jointly liable
Correction order: 100,000 euros per day of delay at the end of a period of 3 months following notification of the CNIL’s decision for each company.
Decision made public |
EUR 60 million
Correction order: 100,000 euros per day of delay at the end of a period of 3 months following notification of the CNIL’s decision.
Decision made public |
| Sanction criterion (article 83(2) of the GDPR) | 1. Seriousness: the number of people affected by the processing activities concerned is an extremely high proportion of the French population. The Google Search engine has a considerable reach in France;
2. The violation was committed deliberately: (i) corrective measures proposed by the CNIL during a previous injunction were not followed by Google, (ii) the CNIL has publicly communicated the requirements on its site on several occasions; 3. Lack of cooperation with the CNIL: no communication of the figures relating to the data subjects concerned; 4. Financial benefits of the breach: cookies play a very important role in online advertising through which the companies make most of their profits. Revenues generated estimated between 580 and 640 million euros. |
1. Seriousness: (i) encouragement to accept. (ii) large number of users in France (iii) inescapable reach of the social network in France (iv) important place in access to information and public debate, (v) reach to third party sites;
2. Financial benefits derived from the breach: business model of targeted content matching based mainly on cookies. Revenues generated estimated between 550 and 660 million euros. |
[1] CNIL’s Decision against Google, SAN-2021-023 dated 31 December 2021 (only in French)
[2] CNIL’s Decision against Facebook, SAN-2021-024 du 31 December 2021 (only in French)
[3] CNIL’s Guidelines on cookies and other tracers (in French only) – legally binding
[4] CNIL’s practical recommendation on cookies and other tracers (in French only)
