On 31 December 2021, in two high-profile decisions, the “Commission Nationale de l’Informatique et des Libertés” (“CNIL”)[1], after considering that it had jurisdiction to “verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France[2]”, issued the largest fines in its history: 60 million euros against Facebook[3], 60 million euros against Google Ireland Limited[4] and 90 million euros against Google LLC[5] (“Google”).

It warned the web giants of the consequences if they failed to comply with their obligations under Article 82 of the French Data Protection Act concerning the procedure for accepting and refusing cookies[6], a cookie being defined as a “small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)”[7].

These two decisions, which were handed down on the same day, provide an opportunity to review the failings of Facebook, which was accused of setting up an overly complex and discouraging cookie handling process for its users, pushing them to accept them, and Google for failing to respect its users’ consent to cookies, shortly after being warned by the CNIL. Finally, with these two decisions, the CNIL points out the methods used, and the criteria retained for the calculation of fines.

I.  The CNIL criticized Facebook for having set up a complex and discouraging process for users wishing to refuse cookies

Since the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council called the General Data Protection Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her” [8]. Thus, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment” [9].

Consequently, the CNIL’s restricted committee considered that both the method of collecting consent proposed to users by Facebook and the obvious lack of clarity of the information[10] were a clear violation of Article 82 of the French Data Protection Act[11].

Indeed, the CNIL criticized Facebook for having set up a complex and discouraging process for the user wishing to refuse the cookies[12]. Thus, the CNIL noted that “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily[13]”. In practice, if a user wished to refuse the cookies, a single click was not enough, he had to refuse them one by one[14]. According to the CNIL, this procedure for refusing cookies, considered to be complex and time-consuming, dissuades the user from refusing them[15] and “affects the freedom of consent of Internet users[16]”.

Facebook was also criticized for the information path explaining to the user how to refuse cookies. This was considered confusing and unclear as the user, in order to refuse the deposit of cookies, had to click on a button entitled “Accept cookies”[17]. Specifically, once the user arrived on the “com” website, he had to “refuse the deposit of advertising cookies, first click on the “Manage data settings” button in the first window, scroll through the entire second window that appears, leaving the two sliding buttons deactivated so as not to accept cookies, and then click on the “Accept cookies” button at the bottom of the second window[18]”. The CNIL considered that such a process necessarily led to confusion in the mind of the user, who could imagine that it was not possible to refuse the deposit of cookies and that he had no control over this[19].

II.  The CNIL criticized Google for not allowing users to refuse cookies as easily as to accept them

 Concerning the websites “fr” and “youtube.fr” of the Google companies, the latter were accused of having only provided the acceptance of cookies when opening a web page[20], whereas to refuse them it was necessary to go to the browser settings[21] and to have set up a single action to consent to cookies but no less than five actions to refuse them[22].

In response, Google argued that “neither the “ePrivacy” Directive, nor the GDPR, nor Article 82 of the French Data Protection Act provided that the action of refusing cookies should be as simple as accepting them[23]”. Google added that “the fact of not proposing, at the first level of information, a “Refuse all” button is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the “Personalise” button[24].”

 Nevertheless, the CNIL specified in its decision of 31 December 2021 that in its recommendation of 17 September 2020, it had already advised data controllers to set up a mechanism allowing the user to choose at the same time, on the same page and through the same window, whether to refuse cookies or accept them[25].

The CNIL also reminded Google that “the companies were recently sanctioned for breaches of Article 82 of the French Data Protection Act regarding the information and gathering of consent from individuals before the deposit of cookies on their terminal. Although this sanction is not final since it is being appealed to the Council of State, the restricted committee nevertheless notes that the companies’ attention had been explicitly drawn by the CNIL services to the methods for refusing cookies[26]”. In this regard, after an unsuccessful appeal to the Council of State on 7 March 2021 in order to invalidate the injunction made to the Google companies to comply with the decisions[27], the latter once again pleaded before the same jurisdiction in early January 2022 in order to obtain the cancellation of the fine imposed by the CNIL in December 2020[28].

The CNIL therefore considered that Google had not been aware of the consequences of such successive breaches.

III.   An illustration of the criteria used by the CNIL to determine the fines and its assessment of the need to impose a penalty payment

 In order to determine the amount of the fines imposed on Facebook, the CNIL applied certain criteria provided for in Article 83(2) of the GDPR. It took into account the “gravity of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected[29]”but also the financial benefits gained as a result of the infringement[30] and the financial capacity of Facebook[31].

In assessing the amount of the fines imposed on Google, the restricted committee considered that the violation was committed deliberately[32]. Indeed, the two Google companies had already been sanctioned recently for infringements of Article 82 of the French Data Protection Act concerning the information and gathering of consent from individuals prior to the gathering of cookies on their terminal[33].

Finally, for both Facebook and Google, the CNIL relied on their influence and prominence online[34], their revenue from advertising[35] and the number of visitors over the past twelve months.

In addition, considering that the compagnies had already been alerted to the necessity of changing their practices and in order to ensure that the required steps would be taken in the future, the CNIL imposed injunction under penalty to modify the modalities of the gathering of users’ consent to cookies.