France’s data protection watchdog known as the CNIL fined Facebook and Google €60 million and €150 million, respectively, on Thursday (6 December) in its latest crackdown against tech giants violating cookie tracking rules. EURACTIV France reports.
The year is off to a flying start for the French body as it imposed two heavy fines on Facebook and Google for not allowing their users to easily reject their cookies – small files used to track users online, primarily for advertising purposes.
When reviewing the websites of Facebook, Google and Google-owned Youtube, the CNIL found the platforms provided a one-click system to consent to cookies, but several clicks to reject them.
This goes against the CNIL’s guiding principle, according to which “refusing cookies should be as easy as accepting”.
The 2002 ePrivacy Directive requires Internet users to give their consent before any information can be stored on their device – unless necessary for the proper performance of the service requested. The EU’s General Data Protection Regulation (GDPR) also sets out the scope of consent, which must be free, specific, informed and unambiguous.
Contacted by EURACTIV, Google said it was “committed to implementing further changes, as well as actively working with the CNIL in response to its decision, in the framework of the ePrivacy Directive.”
Facebook, for its part, explained that it was “reviewing” the decision. “Our cookie consent controls provide people with greater control over their data […], and we continue to develop and improve these controls,” a spokesperson for Meta, the social media’s parent company, has said.
The CNIL has given the companies three months to comply. After that, they will be subject to a €100,000 fine for each day of delay.
Google in the crosshairs
However, Google decided to challenge the fine before the country’s top administrative court, the Council of State, arguing that the several months period granted to comply was too short.
The tech giant also questioned the decision’s legal basis, stating that CNIL does not have the authority to control cookie policies under the ePrivacy Directive. Instead, it argued that the jurisdiction falls within the remit of the Irish data protection authority because of the one-stop-shop mechanism provided for in the GDPR, the EU privacy law.
Google challenged the CNIL’s overall approach of using the ePrivacy Directive as a legal basis for sanctioning the tech giant instead of the GDPR, precisely to be able to fine the internet company directly without going through the one-stop-shop process.
In March 2021, the Council of State rejected Google’s request and confirmed the fine.
[Edited by Luca Bertuzzi/ Alice Taylor]