On 30 and 31 December 2021, the CNIL sanctioned :
- FACEBOOK IRELAND LIMITED with a € 60 million fine ; and
- GOOGLE with a fine totalling €150 million (€ 90 million for GOOGLE LLC and € 60 million for GOOGLE IRELAND LIMITED)
Following several complaints regarding the modalities for refusing cookies and other trackers on the websites Facebook.com, Google.fr and Youtube.com, the CNIL carried out online checks on these websites in April and June 2021.
During these audits, the authority noticed that the sites offered a button allowing the user to immediately accept cookies but no equivalent solution (e.g. button or another modality) enabling to refuse them as easily.
Thus, the Authority found that on each of these sites, a single click was required to accept the cookies, whereas several clicks were needed to refuse them.
It, therefore, considered that :
making the refusal mechanism more complex than the consent mechanism is tantamount to discouraging users from refusing cookies and that such a procedure undermines the freedom of users’ consent;
As a result, the methods of collecting consent proposed to users as well as the lack of clarity of the information provided to them constitute violations of Article 82 of the French Data Protection Act.
In these cases, the CNIL has the power to impose an administrative fine, up to a maximum of 2% of the controller’s total annual worldwide turnover for the previous financial year (see here for more information on GDPR sanctions).
As a result of the breaches identified, the CNIL has therefore imposed the following penalties:
– a fine of €60 million against Facebook Ireland Ltd ;
– a fine of 150 million euros against GOOGLE (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED)
In addition to these penalties, an injunction under penalty of 100,000 euros per day of delay, to make available to Internet users located in France, within three months of notification of the decision, a means of refusing cookies as easily as the existing means of accepting them.
The determination of the amount of these fines is based on the criteria specified in Article 83 of the RGPD (e.g. duration and seriousness of the infringement, number of persons concerned, intentional element, etc.).
Although the CNIL also recalls, in the Google decision, that the rapporteur is not required to specify the way in which the proposed fines are calculated, it justifies the penalties in particular on the basis of the following elements:
- the scope of the processing, the number of people concerned and the considerable benefits that the companies derive from the advertising revenues indirectly generated from the data collected by the cookies (e.g. it is noted that Google.fr had more than 51 million unique visitors residing in France per month and YouTube more than 46 million (press release of 24 August 2020 published on the Médiamétrie website);
- to this end, in both cases, the CNIL considered as serious taking into account the nature and scope of the processing and the number of persons concerned by them. (of Article 83(2)(a) of the GDPR) ;
Jurisdiction of the CNIL
As it had already pointed out in previous decisions against Google and Amazon, the CNIL is materially competent to control and sanction operations related to cookies deposited by companies on the terminals of Internet users located in France.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.