25 January 2022

CNIL imposes the largest sanctions in its history on Facebook and Google

CNIL issued the largest fines in its history against Facebook and Google for infringements of the existing regulations on cookies.


On 31 December 2021, in two high-profile decisions, the “Commission Nationale de l’Informatique et des Libertés” (“CNIL”)[1], after considering that it had jurisdiction to “verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France[2]”, issued the largest fines in its history: 60 million euros against Facebook[3], 60 million euros against Google Ireland Limited[4] and 90 million euros against Google LLC[5] (“Google”).

It warned the web giants of the consequences if they failed to comply with their obligations under Article 82 of the French Data Protection Act concerning the procedure for accepting and refusing cookies[6], a cookie being defined as a “small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)”[7].

These two decisions, which were handed down on the same day, provide an opportunity to review the failings of Facebook, which was accused of setting up an overly complex and discouraging cookie handling process for its users, pushing them to accept them, and Google for failing to respect its users’ consent to cookies, shortly after being warned by the CNIL. Finally, with these two decisions, the CNIL points out the methods used, and the criteria retained for the calculation of fines.


I.  The CNIL criticized Facebook for having set up a complex and discouraging process for users wishing to refuse cookies

Since the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council called the General Data Protection Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her” [8]. Thus, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment [9].

Consequently, the CNIL’s restricted committee considered that both the method of collecting consent proposed to users by Facebook and the obvious lack of clarity of the information[10] were a clear violation of Article 82 of the French Data Protection Act[11].

Indeed, the CNIL criticized Facebook for having set up a complex and discouraging process for the user wishing to refuse the cookies[12]. Thus, the CNIL noted that “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily[13]”. In practice, if a user wished to refuse the cookies, a single click was not enough, he had to refuse them one by one[14]. According to the CNIL, this procedure for refusing cookies, considered to be complex and time-consuming, dissuades the user from refusing them[15] and “affects the freedom of consent of Internet users[16]”.

Facebook was also criticized for the information path explaining to the user how to refuse cookies. This was considered confusing and unclear as the user, in order to refuse the deposit of cookies, had to click on a button entitled “Accept cookies”[17]. Specifically, once the user arrived on the “com” website, he had to “refuse the deposit of advertising cookies, first click on the “Manage data settings” button in the first window, scroll through the entire second window that appears, leaving the two sliding buttons deactivated so as not to accept cookies, and then click on the “Accept cookies” button at the bottom of the second window[18]”. The CNIL considered that such a process necessarily led to confusion in the mind of the user, who could imagine that it was not possible to refuse the deposit of cookies and that he had no control over this[19].


II.  The CNIL criticized Google for not allowing users to refuse cookies as easily as to accept them

 Concerning the websites “fr” and “” of the Google companies, the latter were accused of having only provided the acceptance of cookies when opening a web page[20], whereas to refuse them it was necessary to go to the browser settings[21] and to have set up a single action to consent to cookies but no less than five actions to refuse them[22].

In response, Google argued that “neither the “ePrivacy” Directive, nor the GDPR, nor Article 82 of the French Data Protection Act provided that the action of refusing cookies should be as simple as accepting them[23]”. Google added that “the fact of not proposing, at the first level of information, a “Refuse all” button is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the “Personalise” button[24].

 Nevertheless, the CNIL specified in its decision of 31 December 2021 that in its recommendation of 17 September 2020, it had already advised data controllers to set up a mechanism allowing the user to choose at the same time, on the same page and through the same window, whether to refuse cookies or accept them[25].

The CNIL also reminded Google that “the companies were recently sanctioned for breaches of Article 82 of the French Data Protection Act regarding the information and gathering of consent from individuals before the deposit of cookies on their terminal. Although this sanction is not final since it is being appealed to the Council of State, the restricted committee nevertheless notes that the companies’ attention had been explicitly drawn by the CNIL services to the methods for refusing cookies[26]”. In this regard, after an unsuccessful appeal to the Council of State on 7 March 2021 in order to invalidate the injunction made to the Google companies to comply with the decisions[27], the latter once again pleaded before the same jurisdiction in early January 2022 in order to obtain the cancellation of the fine imposed by the CNIL in December 2020[28].

The CNIL therefore considered that Google had not been aware of the consequences of such successive breaches.


III.   An illustration of the criteria used by the CNIL to determine the fines and its assessment of the need to impose a penalty payment

 In order to determine the amount of the fines imposed on Facebook, the CNIL applied certain criteria provided for in Article 83(2) of the GDPR. It took into account the “gravity of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected[29]”but also the financial benefits gained as a result of the infringement[30] and the financial capacity of Facebook[31].

In assessing the amount of the fines imposed on Google, the restricted committee considered that the violation was committed deliberately[32]. Indeed, the two Google companies had already been sanctioned recently for infringements of Article 82 of the French Data Protection Act concerning the information and gathering of consent from individuals prior to the gathering of cookies on their terminal[33].

Finally, for both Facebook and Google, the CNIL relied on their influence and prominence online[34], their revenue from advertising[35] and the number of visitors over the past twelve months.

In addition, considering that the compagnies had already been alerted to the necessity of changing their practices and in order to ensure that the required steps would be taken in the future, the CNIL imposed injunction under penalty to modify the modalities of the gathering of users’ consent to cookies.

Related content

Press review
Press review
2 June 2023
Press review – Week of 29 May 2023
This week, the 32nd chamber of the Paris judicial court handed down its first conviction for price manipulation against Thierry...
DPA ABA 2023
26 April 2023
Deferred Prosecution Agreements and how much do they shield from litigation and arbitration?
During the American Bar Association International Law Section 2023 conference, Stéphane de Navacelle will discuss Corporate criminal liability frameworks which...
9 March 2023
Historical sanctions by the Financial Markets Authority
The Financial Markets Authority’s Enforcement Committee imposes record-breaking fines on a British asset management company and two of its executives...
24 January 2023
Sanctioning obstructions to AMF investigations: Update from the Constitutional Court in its decision of 28 January 2022
On 28 January 2022, the Constitutional Court ruled that Article L. 621-15, II, f of the Monetary and Financial Code...
Press review
Week of 21 November 2022
25 November 2022
Press review – Week of 21 November 2022
In this press review, you will discover the opening of a preliminary investigation by the French National Financial Prosecutor’s Office...
21 November 2022
Judicial Agreement of Public Interest for aggravated tax fraud laundering and illegal canvassing
Credit Suisse escapes prosecution and agrees to pay a public interest fine of 123,000,000 euros under the 13th deferred prosecution...
Press review
Week of 14 November 2022
18 November 2022
Press review – Week of 14 November 2022
In this press review, you will find three significant events: the first conviction in France of a former Liberian rebel...
Autorité de la concurrence - Google
18 November 2022
Recent sanctions against Google by the French Competition Authority: ad servers and related rights
In 2021, the French Competition Authority imposed several fines on Google for anti-competitive practices related, on the one hand, to...
Press review
Week of 24 October 2022
28 October 2022
Press review – Week of 24 October 2022
In this press review, there are several important events on the judicial level. Indeed, a judicial public interest agreement...
26 October 2022
The CNIL and recent cases on personal data protection
The French data protection authority, the CNIL, has recently imposed important sanctions against Google, Facebook and Amazon for violations of...
12 October 2022
Discussions on secrecy in law enforcement proceedings and on AML/FT regulation
On October 5th, 2022, the annual conference of the AMF Enforcement Committee was held. During this event, members of regulatory...
The right to silence during investigations by the Autorité des Marchés Financiers
14 July 2022
The right to silence during investigations by the Autorité des Marchés Financiers
The right to silence is a constitutional principle in criminal proceedings. However, it turns out that this principle can be...