Analysis
25 January 2022

CNIL imposes the largest sanctions in its history on Facebook and Google

CNIL issued the largest fines in its history against Facebook and Google for infringements of the existing regulations on cookies.

 

On 31 December 2021, in two high-profile decisions, the “Commission Nationale de l’Informatique et des Libertés” (“CNIL”)[1], after considering that it had jurisdiction to “verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France[2]”, issued the largest fines in its history: 60 million euros against Facebook[3], 60 million euros against Google Ireland Limited[4] and 90 million euros against Google LLC[5] (“Google”).

It warned the web giants of the consequences if they failed to comply with their obligations under Article 82 of the French Data Protection Act concerning the procedure for accepting and refusing cookies[6], a cookie being defined as a “small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)”[7].

These two decisions, which were handed down on the same day, provide an opportunity to review the failings of Facebook, which was accused of setting up an overly complex and discouraging cookie handling process for its users, pushing them to accept them, and Google for failing to respect its users’ consent to cookies, shortly after being warned by the CNIL. Finally, with these two decisions, the CNIL points out the methods used, and the criteria retained for the calculation of fines.

 

I.  The CNIL criticized Facebook for having set up a complex and discouraging process for users wishing to refuse cookies

Since the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council called the General Data Protection Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her” [8]. Thus, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment [9].

Consequently, the CNIL’s restricted committee considered that both the method of collecting consent proposed to users by Facebook and the obvious lack of clarity of the information[10] were a clear violation of Article 82 of the French Data Protection Act[11].

Indeed, the CNIL criticized Facebook for having set up a complex and discouraging process for the user wishing to refuse the cookies[12]. Thus, the CNIL noted that “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily[13]”. In practice, if a user wished to refuse the cookies, a single click was not enough, he had to refuse them one by one[14]. According to the CNIL, this procedure for refusing cookies, considered to be complex and time-consuming, dissuades the user from refusing them[15] and “affects the freedom of consent of Internet users[16]”.

Facebook was also criticized for the information path explaining to the user how to refuse cookies. This was considered confusing and unclear as the user, in order to refuse the deposit of cookies, had to click on a button entitled “Accept cookies”[17]. Specifically, once the user arrived on the “com” website, he had to “refuse the deposit of advertising cookies, first click on the “Manage data settings” button in the first window, scroll through the entire second window that appears, leaving the two sliding buttons deactivated so as not to accept cookies, and then click on the “Accept cookies” button at the bottom of the second window[18]”. The CNIL considered that such a process necessarily led to confusion in the mind of the user, who could imagine that it was not possible to refuse the deposit of cookies and that he had no control over this[19].

 

II.  The CNIL criticized Google for not allowing users to refuse cookies as easily as to accept them

 Concerning the websites “fr” and “youtube.fr” of the Google companies, the latter were accused of having only provided the acceptance of cookies when opening a web page[20], whereas to refuse them it was necessary to go to the browser settings[21] and to have set up a single action to consent to cookies but no less than five actions to refuse them[22].

In response, Google argued that “neither the “ePrivacy” Directive, nor the GDPR, nor Article 82 of the French Data Protection Act provided that the action of refusing cookies should be as simple as accepting them[23]”. Google added that “the fact of not proposing, at the first level of information, a “Refuse all” button is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the “Personalise” button[24].

 Nevertheless, the CNIL specified in its decision of 31 December 2021 that in its recommendation of 17 September 2020, it had already advised data controllers to set up a mechanism allowing the user to choose at the same time, on the same page and through the same window, whether to refuse cookies or accept them[25].

The CNIL also reminded Google that “the companies were recently sanctioned for breaches of Article 82 of the French Data Protection Act regarding the information and gathering of consent from individuals before the deposit of cookies on their terminal. Although this sanction is not final since it is being appealed to the Council of State, the restricted committee nevertheless notes that the companies’ attention had been explicitly drawn by the CNIL services to the methods for refusing cookies[26]”. In this regard, after an unsuccessful appeal to the Council of State on 7 March 2021 in order to invalidate the injunction made to the Google companies to comply with the decisions[27], the latter once again pleaded before the same jurisdiction in early January 2022 in order to obtain the cancellation of the fine imposed by the CNIL in December 2020[28].

The CNIL therefore considered that Google had not been aware of the consequences of such successive breaches.

 

III.   An illustration of the criteria used by the CNIL to determine the fines and its assessment of the need to impose a penalty payment

 In order to determine the amount of the fines imposed on Facebook, the CNIL applied certain criteria provided for in Article 83(2) of the GDPR. It took into account the “gravity of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected[29]”but also the financial benefits gained as a result of the infringement[30] and the financial capacity of Facebook[31].

In assessing the amount of the fines imposed on Google, the restricted committee considered that the violation was committed deliberately[32]. Indeed, the two Google companies had already been sanctioned recently for infringements of Article 82 of the French Data Protection Act concerning the information and gathering of consent from individuals prior to the gathering of cookies on their terminal[33].

Finally, for both Facebook and Google, the CNIL relied on their influence and prominence online[34], their revenue from advertising[35] and the number of visitors over the past twelve months.

In addition, considering that the compagnies had already been alerted to the necessity of changing their practices and in order to ensure that the required steps would be taken in the future, the CNIL imposed injunction under penalty to modify the modalities of the gathering of users’ consent to cookies.

Related content

Press review
23 February 2024
Press review – Week of 19 February 2024
This week’s press review covers Donald Trump and his sons’ conviction for fraud in New York, the decision of Paris...
Press review
16 February 2024
Press review – Week of 12 February 2024
This week’s press review looks back at the legacy of former French minister of Justice Robert Badinter who recently passed...
Analysis
European Commission
10 January 2024
Digital Markets Act: Combating anti-competitive practices in the digital sector
On 6 September 2023, almost a year after the adoption of the Digital Markets Act, the European Commission published the...
News
21 December 2023
Fine of €13.5 million against Sony for abuse of dominant position in the video games sector
A busy December for the French competition regulator (Autorité de la concurrence) as it just issued two heavy sanctions over...
News
21 December 2023
Fine of €91.6 million against Rolex for vertical agreement restricting competition in the distribution of...
A busy December for the French competition regulator (Autorité de la concurrence) as it just issued two heavy sanctions over...
Press review
27 October 2023
Press review – Week of 23 October 2023
This week, the press review looks back at the seizure of almost 60 million euros by French judicial authorities in...
Analysis
23 October 2023
Heavy sanction imposed by the French Financial Market Authority (AMF) for market manipulation
In its decision of 7 September 2023, the Enforcement Committee of the “Autorité des marchés financiers” ("AMF") fined the French...
Press review
Press review
29 September 2023
Press review – Week of 25 September 2023
This week, let's look back at the French Constitutional Council decision repealing an article of the French Criminal Procedure Code...
Publication
16 August 2023
France mulls privilege protections for in-house legal advice
French lawyers said the proposed legislation would give French companies greater protections from evidence-gathering requests sent by foreign regulators.
Publication
Focus on the French financial markets authority activity (AMF)
13 July 2023
[Infography] Focus on the French financial markets authority activity (AMF)
The French Financial Markets Authority (“AMF”) intensive enforcement activity again demonstrates the regulator’s ambition to continuously strengthen market surveillance, through...
Publication
13 July 2023
[Infographie] Focus on the French data protection authority activity (CNIL)
Over the past months, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), regulator of personal data, imposed tremendous...
Analysis
La 32e chambre correctionnelle du tribunal judiciaire de Paris se prononce pour la première fois en matière de délit de manipulation de marché
7 July 2023
The Paris Criminal Court issues its first decision on a market manipulation case
On 25 May 2023, the Paris Criminal Court (32nd Chamber) ruled for the first time on the offence of market...