On the 6th of January 2022, the French data protection authority (“CNIL”) fined Google €150 million ($170 million) and Facebook €60 million ($68 million) for making it too confusing for users to reject cookies.
The investigation carried out by CNIL revealed that websites facebook.com, youtube.com, and google.fr used unlawful cookie practices. While all three websites provide an option to opt-out of unnecessary cookies, the chosen mechanism discourages internet users from exercising this right.
Internet users expect to be able to consult a website quickly; refusing unnecessary cookies had not been made as easy as accepting them influences users’ choice in regards to consent thus affecting users’ freedom. This constitutes an infringement of Article 82 of the French Data Protection Act.
What can be expected now?
In addition to the fines, the French data protection authority ordered the companies to provide French internet users with a means of refusing cookies as simple as the existing means of accepting them to guarantee their freedom of consent within three months. If this is not resolved within three months, the companies will face an additional 100 000 EUR fine per day of delay. As the fines work as an example for other companies, not only can we expect harsher audits of cookies consent for other companies, but hopefully improvement in more website’s cookie notices.
- websites must inform the users about the type of cookies and the purpose of each of them while asking for cookies consent;
- the information must be in simple language without any difficulty to understand technical or legal details;
- if you use any third-party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
- consent must only be valid or registered via an explicit or positive action, such as clicking an accept button;
- the users also have the right to withdraw their cookie consent at any time, and it must be as easy as it was to give it;
- you must ensure that any non-essential cookies are not placed on your landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).
The review was prepared by ECOVIS ProventusLaw data protection group’s experts.