The infringement

French Data Protection Authority, CNIL, has kick-started 2022 issuing a whopping €150million fine to Google (google.fr and youtube.com users) and €60million to Facebook, now Meta, (facbook.com users) for failing to implement a mechanism which allows users to reject cookies, as easily as it is to accept them (CNIL announcement). In short, the US tech giants were using cookie control mechanisms which forced user consent.

Cookies are snippets of website code, which allow web browsers to save information about a user’s session. These are highly valuable for Google and Facebook, as some of these cookies can be used for personalised advertising purposes; their primary source of revenue. The UK and EU have stricter regulations than the US and require websites to ask for user consent before placing non-essential cookies on devices and tracking a user’s activity.

French cookie rules are laid down in Article 82 of the French Data Protection Act (”French DPA”), which implements into French law the provisions in the EU GDPR. CNIL’s investigations found that whilst Google and Facebook gave French users a single button to immediately “Accept All” cookies, it did not provide an equally simple way to reject them, which was considered confusing and required several clicks.

CNIL found that this process affects the freedom of consent as it influences users’ choice in favour of accepting the cookies, and thus infringing the cookie consent requirement of Article 82 of the French DPA.

CNIL’s sanctions

CNIL fined Google LLC €90million, Google Ireland Limited €60million and Facebook Ireland Limited €60million. It justified these amounts by “the scope of the processing, the number of data subjects concerned and the considerable profits the compan[ies] make from advertising revenues indirectly generated from the data collected by the cookies.”¹

CNIL also noted that it had already, in February 2021, drawn Google’s attention to the infringement and “communicated on numerous occasions that it should be as easy to refuse cookies as to accept them.”²

Further, the regulatory body said that Google and Facebook have three months to rectify their infringing practices, after which CNIL will impose fines of €100,000 per day until their websites are compliant.

A warning of things to come in 2022

Despite the sigh of relief by companies following the favourable Supreme Court judgment in Lloyd v Google LLC³, which is thought to help put a lid on the cookie claim jar (read more here), it appears that it may now fall to the regulators, rather than the Courts, to hold companies to account when they violate legislation regarding their use of cookies.

However, favourable developments in the Courts certainly do not mean that companies can relax when it comes to ensuring that their websites are compliant with cookie legislation. These recent fines indicate that regulators may now feel a greater responsibility to respond to user complaints with a full investigation, and imposition of a deterrent sized fine, in order to uphold the privacy rights of those affected individuals who may have previously sought redress via the Courts.

These fines act as a warning to not just US tech giants, but all companies, that the spotlight of Data Protection Authorities across the globe will be shining on cookies in 2022 and it is certainly an indicator that there will be some hard-hitting fines for non-compliance still to come.

Cookies have also come under scrutiny in two recent decisions involving post Schrems II data transfer compliance. For further details, please see our article here.

¹https://www.cnil.fr/en/cookies-facebook-ireland-limited-fined-60-million-euros
²https://www.cnil.fr/en/cookies-google-fined-150-million-euros
³[2021] UKSC 50