On 30 and 31 December 2021, the CNIL sanctioned :
- FACEBOOK IRELAND LIMITED with a € 60 million fine ; and
- GOOGLE with a fine totalling €150 million (€ 90 million for GOOGLE LLC and € 60 million for GOOGLE IRELAND LIMITED)
because they did not allow users of the social network facebook.com and the websites google.fr and youtube.com residing in France to refuse cookies as easily as to accept them.
The CNIL had already sanctioned Google and Amazon with regard to the modalities of consent and information notice relating to the use of cookies, but the CNIL had specified on its website that these decisions did not concern the modalities for refusing cookies insofar as at the time of the procedure, the CNIL recommendation was not yet applicable. This statement suggested that controls would take place at a later date.
These decisions reminds all website operators that the “refuse cookies” button or any equivalent modality is as important as the “accept cookies” button in the cookie banners.
Background Information
Following several complaints regarding the modalities for refusing cookies and other trackers on the websites Facebook.com, Google.fr and Youtube.com, the CNIL carried out online checks on these websites in April and June 2021.
During these audits, the authority noticed that the sites offered a button allowing the user to immediately accept cookies but no equivalent solution (e.g. button or another modality) enabling to refuse them as easily.
Thus, the Authority found that on each of these sites, a single click was required to accept the cookies, whereas several clicks were needed to refuse them.
In the case of Facebook, the CNIL also noted that the button allowing users to refuse cookies is located at the bottom of the second window and is entitled “Accept cookies”.
It, therefore, considered that :
making the refusal mechanism more complex than the consent mechanism is tantamount to discouraging users from refusing cookies and that such a procedure undermines the freedom of users’ consent;
the information path is unclear. Indeed, to refuse cookies, users must click on a button entitled “Accept cookies” in the second window. This title is necessarily confusing and may lead users to believe that it is not possible to refuse the deposit of cookies.
As a result, the methods of collecting consent proposed to users as well as the lack of clarity of the information provided to them constitute violations of Article 82 of the French Data Protection Act.
The sanctions
In these cases, the CNIL has the power to impose an administrative fine, up to a maximum of 2% of the controller’s total annual worldwide turnover for the previous financial year (see here for more information on GDPR sanctions).
As a result of the breaches identified, the CNIL has therefore imposed the following penalties:
– a fine of €60 million against Facebook Ireland Ltd ;
– a fine of 150 million euros against GOOGLE (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED)
In addition to these penalties, an injunction under penalty of 100,000 euros per day of delay, to make available to Internet users located in France, within three months of notification of the decision, a means of refusing cookies as easily as the existing means of accepting them.
The determination of the amount of these fines is based on the criteria specified in Article 83 of the RGPD (e.g. duration and seriousness of the infringement, number of persons concerned, intentional element, etc.).
Although the CNIL also recalls, in the Google decision, that the rapporteur is not required to specify the way in which the proposed fines are calculated, it justifies the penalties in particular on the basis of the following elements:
- the scope of the processing, the number of people concerned and the considerable benefits that the companies derive from the advertising revenues indirectly generated from the data collected by the cookies (e.g. it is noted that Google.fr had more than 51 million unique visitors residing in France per month and YouTube more than 46 million (press release of 24 August 2020 published on the Médiamétrie website);
- to this end, in both cases, the CNIL considered as serious taking into account the nature and scope of the processing and the number of persons concerned by them. (of Article 83(2)(a) of the GDPR) ;
- with regard to Google, the CNIL also noted the fact that the CNIL services had already, in February 2021, drawn the attention of GOOGLE companies to this failure and, in general, had communicated on numerous occasions that it should be as simple to refuse cookies as to accept them;
Jurisdiction of the CNIL
As it had already pointed out in previous decisions against Google and Amazon, the CNIL is materially competent to control and sanction operations related to cookies deposited by companies on the terminals of Internet users located in France.
Indeed, the cooperation mechanism provided for by the RGPD (“one-stop shop” mechanism) does not apply insofar as operations related to the use of cookies fall under the “ePrivacy” Directive 2002/58/EC, transposed in Article 82 of the Data Protection Act.
The CNIL also considers itself to be territorially competent pursuant to Article 3 of the French Data Protection Act because the use of cookies is carried out within the “framework of the activities” of GOOGLE FRANCE, which constitutes the “establishment” on French territory of GOOGLE LLC and GOOGLE IRELAND LIMITED, and of FACEBOOK FRANCE, which constitutes the “establishment” on French territory of FACEBOOL IRELAND LTD, which is the data controller.
CONTACT
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.
