French privacy watchdog fines Facebook and Google over cookie tracking rules

The CNIL has given the two companies three months to comply. After that, they will be subject to a €100,000 fine each day of delay. [Koshiro K/Shutterstock]

France’s data protection watchdog known as the CNIL fined Facebook and Google €60 million and €150 million, respectively, on Thursday (6 December) in its latest crackdown against tech giants violating cookie tracking rules. EURACTIV France reports.

The year is off to a flying start for the French body as it imposed two heavy fines on Facebook and Google for not allowing their users to easily reject their cookies – small files used to track users online, primarily for advertising purposes.

When reviewing the websites of Facebook, Google and Google-owned Youtube, the CNIL found the platforms provided a one-click system to consent to cookies, but several clicks to reject them.

This goes against the CNIL’s guiding principle, according to which “refusing cookies should be as easy as accepting”.

The 2002 ePrivacy Directive requires Internet users to give their consent before any information can be stored on their device – unless necessary for the proper performance of the service requested. The EU’s General Data Protection Regulation (GDPR) also sets out the scope of consent, which must be free, specific, informed and unambiguous.

Contacted by EURACTIV, Google said it was “committed to implementing further changes, as well as actively working with the CNIL in response to its decision, in the framework of the ePrivacy Directive.”

Facebook, for its part, explained that it was “reviewing” the decision. “Our cookie consent controls provide people with greater control over their data […], and we continue to develop and improve these controls,” a spokesperson for Meta, the social media’s parent company, has said.

The CNIL has given the companies three months to comply. After that, they will be subject to a €100,000 fine for each day of delay.

Cookies: French data protection watchdog welcomes increased compliance

Following on from its guidelines on the rules to be applied to cookies, the French data protection authority (CNIL) drew up on Tuesday (14 September) the results of its second campaign of formal notices sent to companies for non-compliance with the legislation on cookies.

Google in the crosshairs

While Google’s €150 million fine remains the record amount ever given by CNIL, this is the second time France’s privacy watchdog has fined the US giant. In December 2020, the CNIL criticised Google for its cookie policy and fined it €100 million. Amazon was also targeted at the time.

However, Google decided to challenge the fine before the country’s top administrative court, the Council of State, arguing that the several months period granted to comply was too short.

The tech giant also questioned the decision’s legal basis, stating that CNIL does not have the authority to control cookie policies under the ePrivacy Directive. Instead, it argued that the jurisdiction falls within the remit of the Irish data protection authority because of the one-stop-shop mechanism provided for in the GDPR, the EU privacy law.

Google challenged the CNIL’s overall approach of using the ePrivacy Directive as a legal basis for sanctioning the tech giant instead of the GDPR, precisely to be able to fine the internet company directly without going through the one-stop-shop process.

In March 2021, the Council of State rejected Google’s request and confirmed the fine.

Google challenges French data watchdog's €100 million fine in court

France’s administrative court known as the Council of State considered on Thursday an application for interim measures filed by Google LLC and Google Ireland after the French Data Protection Authority known as the CNIL fined the digital giant €100 million last December for its cookie collection policy. EURACTIV France was at the hearing.

[Edited by Luca Bertuzzi/ Alice Taylor]

Subscribe to our newsletters