The French Data Protection Authority fines Google (150M euros) and Facebook (60M euros) due to non-compliance with cookies regulation.
The proceedings started after several complaints from data subjects. The investigation took place, and CNIL has concluded that the analysed websites have a button for the immediate acceptance of cookies; however, the process for refusal is longer, demanding several clicks.
100 000 euros per day of delay.
Additionally, both companies were fined:
- Google LLC and Google Inc: 150 million euros (in total)
- Facebook: 60 million euros
The amounts were calculated considering: (i) the large number of users affected, and (ii) the profits that these companies gain through the indirect use of the data collected with the implementation of cookies.
This decision follows a trend of increased attention to tracking technologies, emerging across the world and in various sectors of activity.
Lately, relevant fines were imposed in this field:
- In the media sector, fines were imposed to newspapers as La Última Hora Noticias SL (2000 euros) and Societe du Figaro (50 000 euros) due to the use of non-essential cookies before the user’s consent, among other reasons; and
- Retail industry member Carrefour France was fined in 2,25 million euros for several breaches of the data protection legislation, including the illegal employment of cookies.
Furthermore, non-compliance with cookies regulation is particularly visible to data subjects, which stimulates their actions against infringement. In this regard, NOYB (a digital rights organisation) has put forward an initiative to report breaches, presenting 422 formal complaints to Data Protection Authorities all over Europe. Consequently, the European Data Protection Board has created a special committee to analyse such claims – the “Cookie Banner Task Force”.
Recently and following the referred complaints from NOYB, the European Data Protection Supervisor has decided that the European Parliament is in breach of the applicable legislation, notably due to: (i) the lack of transparency in the information provided to users, (ii) the unlawful use of third-party cookies and (iii) the illegal transfer of personal data to the United States.
As more actions and fines are expected from Data Protection Authorities, organisations have to be prepared to demonstrate compliance. A thorough scrutiny of all tracking technologies used, an in-depth analysis of the applicable legal regime and the correct employment of cookie management tools are essential to anticipate any implementation deficiencies.