The French Data Protection Authority fines Google (150M euros) and Facebook (60M euros) due to non-compliance with cookies regulation.

On 6 January 2022, the French Data Protection Authority (CNIL) has announced fines against Google and Facebook due to non-compliance with cookies legislation (decisions available here and here).

The proceedings started after several complaints from data subjects. The investigation took place, and CNIL has concluded that the analysed websites have a button for the immediate acceptance of cookies; however, the process for refusal is longer, demanding several clicks.

According to CNIL, the described practice constitutes a breach of the applicable data protection legislation, as it discourages users from rejecting cookies. The refusal of the use of cookies shall be as easy as its acceptance, which is not the case in the analysed websites – the acceptance of cookies is immediately available to data subjects, while the refusal requires a greater effort.

Consequently, CNIL has ordered the referred companies to provide their France based users with a simple mean to refuse the use of cookies, at least as simple as the existing means for acceptance. The two companies were allowed a period of three months to comply with this decision. Failure to obey this deadline implies the payment of a penalty of

100 000 euros per day of delay.

Additionally, both companies were fined:

  • Google LLC and Google Inc: 150 million euros (in total)
  • Facebook: 60 million euros

The amounts were calculated considering: (i) the large number of users affected, and (ii) the profits that these companies gain through the indirect use of the data collected with the implementation of cookies.

This decision follows a trend of increased attention to tracking technologies, emerging across the world and in various sectors of activity.

Lately, relevant fines were imposed in this field:

  • In the aviation sector, Vueling Airlines paid a 30 000 euros fine for using an inadequate cookie policy in its website;
  • In the media sector, fines were imposed to newspapers as La Última Hora Noticias SL (2000 euros) and Societe du Figaro (50 000 euros) due to the use of non-essential cookies before the user’s consent, among other reasons; and
  • Retail industry member Carrefour France was fined in 2,25 million euros for several breaches of the data protection legislation, including the illegal employment of cookies.

Furthermore, non-compliance with cookies regulation is particularly visible to data subjects, which stimulates their actions against infringement. In this regard, NOYB (a digital rights organisation) has put forward an initiative to report breaches, presenting 422 formal complaints to Data Protection Authorities all over Europe. Consequently, the European Data Protection Board has created a special committee to analyse such claims – the “Cookie Banner Task Force”.

Recently and following the referred complaints from NOYB, the European Data Protection Supervisor has decided that the European Parliament is in breach of the applicable legislation, notably due to: (i) the lack of transparency in the information provided to users, (ii) the unlawful use of third-party cookies and (iii) the illegal transfer of personal data to the United States.

As more actions and fines are expected from Data Protection Authorities, organisations have to be prepared to demonstrate compliance. A thorough scrutiny of all tracking technologies used, an in-depth analysis of the applicable legal regime and the correct employment of cookie management tools are essential to anticipate any implementation deficiencies.