France's data protection regulator (the CNIL) has imposed hefty fines on Google (€150m) and Facebook (€60m) for making it more difficult for users in France to reject cookies than to accept them. The companies also face penalties of €100,000 per day of delay if they fail to simplify the reject mechanism within 3 months.
The CNIL is living up to its promise to crack down on cookie violations, having previously fined Google €100m and Amazon €35m for unauthorised installation of cookies in December 2020. These sanctions are a bucket of cold water for those businesses which, steering a course between commercial pressures and regulatory compliance, have applied a liberal interpretation to consent requirements for cookies.
Failure to meet consent requirements
The e-Privacy Directive requires users to consent to non-essential cookies. The standard of consent is the same as under EU GDPR, i.e. it must be freely given, specific, informed and unambiguous and it must be as easy to withdraw consent as to give it.
The CNIL found that, while users of google.fr, youtube.com and facebook.fr could accept cookies in a single click, there was no equivalent button to reject them, instead requiring several clicks (and, in the case of Facebook, only via a button confusingly entitled "Accept Cookies"). The CNIL considered this would likely cause users reluctantly to click "accept all" and impact their freedom of choice.
The level of fines
The CNIL has not pulled its punches; its fine against Google is the largest it has imposed to date. It took into account the scope of the processing, the number of data subjects impacted and the profits the companies made from advertising revenues indirectly generated by the data collected from the cookies. The CNIL also treated Google's non-compliance as "deliberate" because Google had previously been warned about expectations for cookie rejection mechanisms in the context of the CNIL's previous action against it.
Avoiding EU GDPR's "One Stop Shop"
By levying these fines under local law (the French Data Protection Act which implements the e-Privacy Directive), the CNIL retained control of the action and avoided the "one stop shop" mechanism under the EU GDPR – whereby the supervisory authority of the "main establishment" of a data controller or processor serves as the lead authority in respect of its cross-border processing. To date, Google has not faced any action under the EU GDPR by its lead supervisory authority, the Irish Data Protection Commission.
EU/UK diverging approach to cookies?
These sanctions demonstrate the CNIL's resolve to force Big Tech to comply with cookie laws in France. Its approach to cookie law enforcement has been more stringent than that of other regulators in Europe and in the UK so far. The European Data Protection Board responded on 18 January 2022 to concerns raised by French associations about inconsistencies in the interpretation of consent requirements to emphasise its commitment to a harmonised application of the rules on cookies. The inconsistency creates uncertainty for businesses with pan-European websites – they may now feel the pressure to tighten up their practices to adhere to France's approach. The direction of travel in the UK appears slightly different; the UK government, in its consultation paper, "Data: a new direction", is minded to take a more risk-based approach and relax some cookie consent requirements (although it would be advisable not to interpret this as indicating a generally lenient approach – the Government also proposes increasing maximum fines so that they are equivalent to UK GDPR fines of 4 per cent of annual turnover or £17.5m (whichever is the higher)). If the rules on cookies in the UK and the EU diverge significantly, this could (depending on the UK/EU political climate at the relevant time) have implications for the EU's adequacy decision in respect of transfers of data to the UK.