CNIL imposes the largest sanctions in its history on Facebook and Google
CNIL issued the largest fines in its history against Facebook and Google for infringements of the existing regulations on cookies.
On 31 December 2021, in two high-profile decisions, the “Commission Nationale de l’Informatique et des Libertés” (“CNIL”)[1], after considering that it had jurisdiction to “verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France[2]”, issued the largest fines in its history: 60 million euros against Facebook[3], 60 million euros against Google Ireland Limited[4] and 90 million euros against Google LLC[5] (“Google”).
It warned the web giants of the consequences if they failed to comply with their obligations under Article 82 of the French Data Protection Act concerning the procedure for accepting and refusing cookies[6], a cookie being defined as a “small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)”[7].
These two decisions, which were handed down on the same day, provide an opportunity to review the failings of Facebook, which was accused of setting up an overly complex and discouraging cookie handling process for its users, pushing them to accept them, and Google for failing to respect its users’ consent to cookies, shortly after being warned by the CNIL. Finally, with these two decisions, the CNIL points out the methods used, and the criteria retained for the calculation of fines.
I. The CNIL criticized Facebook for having set up a complex and discouraging process for users wishing to refuse cookies
Since the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council called the General Data Protection Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her” [8]. Thus, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment” [9].
Consequently, the CNIL’s restricted committee considered that both the method of collecting consent proposed to users by Facebook and the obvious lack of clarity of the information[10] were a clear violation of Article 82 of the French Data Protection Act[11].
Indeed, the CNIL criticized Facebook for having set up a complex and discouraging process for the user wishing to refuse the cookies[12]. Thus, the CNIL noted that “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily[13]”. In practice, if a user wished to refuse the cookies, a single click was not enough, he had to refuse them one by one[14]. According to the CNIL, this procedure for refusing cookies, considered to be complex and time-consuming, dissuades the user from refusing them[15] and “affects the freedom of consent of Internet users[16]”.
Facebook was also criticized for the information path explaining to the user how to refuse cookies. This was considered confusing and unclear as the user, in order to refuse the deposit of cookies, had to click on a button entitled “Accept cookies”[17]. Specifically, once the user arrived on the “com” website, he had to “refuse the deposit of advertising cookies, first click on the “Manage data settings” button in the first window, scroll through the entire second window that appears, leaving the two sliding buttons deactivated so as not to accept cookies, and then click on the “Accept cookies” button at the bottom of the second window[18]”. The CNIL considered that such a process necessarily led to confusion in the mind of the user, who could imagine that it was not possible to refuse the deposit of cookies and that he had no control over this[19].
II. The CNIL criticized Google for not allowing users to refuse cookies as easily as to accept them
Concerning the websites “fr” and “youtube.fr” of the Google companies, the latter were accused of having only provided the acceptance of cookies when opening a web page[20], whereas to refuse them it was necessary to go to the browser settings[21] and to have set up a single action to consent to cookies but no less than five actions to refuse them[22].
In response, Google argued that “neither the “ePrivacy” Directive, nor the GDPR, nor Article 82 of the French Data Protection Act provided that the action of refusing cookies should be as simple as accepting them[23]”. Google added that “the fact of not proposing, at the first level of information, a “Refuse all” button is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the “Personalise” button[24].”
Nevertheless, the CNIL specified in its decision of 31 December 2021 that in its recommendation of 17 September 2020, it had already advised data controllers to set up a mechanism allowing the user to choose at the same time, on the same page and through the same window, whether to refuse cookies or accept them[25].
The CNIL also reminded Google that “the companies were recently sanctioned for breaches of Article 82 of the French Data Protection Act regarding the information and gathering of consent from individuals before the deposit of cookies on their terminal. Although this sanction is not final since it is being appealed to the Council of State, the restricted committee nevertheless notes that the companies’ attention had been explicitly drawn by the CNIL services to the methods for refusing cookies[26]”. In this regard, after an unsuccessful appeal to the Council of State on 7 March 2021 in order to invalidate the injunction made to the Google companies to comply with the decisions[27], the latter once again pleaded before the same jurisdiction in early January 2022 in order to obtain the cancellation of the fine imposed by the CNIL in December 2020[28].
The CNIL therefore considered that Google had not been aware of the consequences of such successive breaches.
III. An illustration of the criteria used by the CNIL to determine the fines and its assessment of the need to impose a penalty payment
In order to determine the amount of the fines imposed on Facebook, the CNIL applied certain criteria provided for in Article 83(2) of the GDPR. It took into account the “gravity of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected[29]”but also the financial benefits gained as a result of the infringement[30] and the financial capacity of Facebook[31].
In assessing the amount of the fines imposed on Google, the restricted committee considered that the violation was committed deliberately[32]. Indeed, the two Google companies had already been sanctioned recently for infringements of Article 82 of the French Data Protection Act concerning the information and gathering of consent from individuals prior to the gathering of cookies on their terminal[33].
Finally, for both Facebook and Google, the CNIL relied on their influence and prominence online[34], their revenue from advertising[35] and the number of visitors over the past twelve months.
In addition, considering that the compagnies had already been alerted to the necessity of changing their practices and in order to ensure that the required steps would be taken in the future, the CNIL imposed injunction under penalty to modify the modalities of the gathering of users’ consent to cookies.
Related content
Press review
20 September 2024
Press review – Week of 16 September 2024
This week’s press review focuses on the new obligation to relinquish seized assets in CJIP introduced by Law 2024-582, the...
Press review
19 July 2024
Press review – Week of 15 July 2024
This week’s press review looks at the European Commission’s complaint against the social network X (formerly Twitter) for misleading its...
Publication
14 July 2024
Overview of 2024: Regulatory matters & investigations
Panorama of decisions and events relating to regulatory matters & investigations which have occurred in France over the last twelve months.
Publication
14 July 2024
Focus on the French financial markets authority activity (AMF)
2023 marked the 20th anniversary of the AMF. More than ever, the French regulator intends to support Paris as Europe’s...
Press review
12 July 2024
Press review – Week of 8 July 2024
This week, the press review covers the confirmed conviction of a French sawmill for illegally importing exotic wood from Brazil,...
Press review
5 July 2024
Press review – Week of 1 July 2024
This week, the press review covers the acquittal of 28 people implicated in the Panama Papers scandal, Turkey’s withdrawal and...
Press review
28 June 2024
Press review – Week of 24 June 2024
This week, the press review covers the conviction of Jean-Paul Huchon for illegal taking of interests, the case of Jean-Christophe...
Event
5 June 2024
Update on Sanctions Litigation, Arbitration, and Enforcement – with EU, French and Swiss perspectives
A panel held on 5 June 2024 in Berlin, during the C5's European Forum on Global Economic Sanctions.
Analysis
29 May 2024
The challenge of regulating generative artificial intelligence
On February 14, the French National Assembly's Law Commission published a report on the challenges posed by generative artificial intelligence...
Press review
19 April 2024
Press review – Week of 15 April 2024
This week, the press review covers the publication of TRACFIN’s 2023 report on professionals’ suspicious transaction reports, the decision of...
Press review
22 March 2024
Press review – Week of 18 March 2024
This week, the press review covers the report of the French Court of Auditors on the financial situation of the...
Press review
15 March 2024
Press review – Week of 11 March 2024
This week’s press review covers the implementation by the AMF of two guidelines issued by the European Banking Authority, the...
We use cookies to optimize our website and our services.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Préférences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.