On the 6th of January 2022, the French data protection authority (“CNIL”) fined Google €150 million ($170 million) and Facebook €60 million ($68 million) for making it too confusing for users to reject cookies.
The investigation carried out by CNIL revealed that websites facebook.com, youtube.com, and google.fr used unlawful cookie practices. While all three websites provide an option to opt-out of unnecessary cookies, the chosen mechanism discourages internet users from exercising this right.
With Facebook, CNIL notes that to refuse cookies, French users first have to click on a button labeled “Accept cookies” (emphasis ours). Such labeling “necessarily generates confusion,” says CNIL, leading users to believe they have no choice in the matter. With Google, the problem is one of asymmetry rather than mislabeling. CNIL notes that the company’s websites (including YouTube) allow users to accept all cookies with a single click. But, to reject them, they have to click through several different menu items. Users are being steered in a particular direction that just so happens to benefit Google.
Internet users expect to be able to consult a website quickly; refusing unnecessary cookies had not been made as easy as accepting them influences users’ choice in regards to consent thus affecting users’ freedom. This constitutes an infringement of Article 82 of the French Data Protection Act.
What can be expected now?
In addition to the fines, the French data protection authority ordered the companies to provide French internet users with a means of refusing cookies as simple as the existing means of accepting them to guarantee their freedom of consent within three months. If this is not resolved within three months, the companies will face an additional 100 000 EUR fine per day of delay. As the fines work as an example for other companies, not only can we expect harsher audits of cookies consent for other companies, but hopefully improvement in more website’s cookie notices.
How to manage the use of cookies?
The use of cookies is not forbidden, but Google and Facebook cases allow to understand better how to manage such use in line with applicable requirements:
- websites must inform the users about the type of cookies and the purpose of each of them while asking for cookies consent;
- the information must be in simple language without any difficulty to understand technical or legal details;
- if you use any third-party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
- consent must only be valid or registered via an explicit or positive action, such as clicking an accept button;
- the users also have the right to withdraw their cookie consent at any time, and it must be as easy as it was to give it;
- you must ensure that any non-essential cookies are not placed on your landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).
If you need assistance in matters regarding the use of cookies or any other issues related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
The review was prepared by ECOVIS ProventusLaw data protection group’s experts.
Newsletter Subscription
Get in touch