On 31 December 2021, the French data protection authority (CNIL) has issued a sanction against two companies of the GOOGLE Group (GOOGLE LLC and GOOGLE IRELAND LIMITED) and the company FACEBOOK IRELAND LIMITED for failure to comply with Article 82 of the French Data Protection Act of 6 January 1978 as amended.
The CNIL states that it has received several complaints concerning the methods of refusing the use of cookies on the following websites:
- facebook.com ;
- google.fr ;
- youtube.com.
Following checks, the CNIL found that the above-mentioned websites offered a button for accepting cookies but no equivalent solution to allow Internet users to refuse cookies.
Several clicks were necessary to refuse all the cookies, whereas a single click on the button provided for this purpose (“I accept” or “Accept cookies”) was sufficient to accept them all.
The CNIL considered that Internet users could not refuse the use of cookies as simply as they accepted them. A complex process for refusing cookies discourages users and encourages them to accept cookies for convenience. Such a practice undermines the freedom of consent of Internet users and constitutes a violation of Article 82 of the Data Protection Act.
Consequently, the CNIL imposed the following financial penalties:
- 150 million euros against GOOGLE (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED);
- 60 million against FACEBOOK IRELAND LIMITED.
The CNIL also ordered the companies to comply within 3 months and to implement a solution allowing Internet users located in France to refuse cookies as easily as to accept them. If they fail to do so, the companies will have to pay a penalty of 100,000 euros per day of delay.
Délibération SAN-2021-023 du 31 décembre 2021 – Légifrance (legifrance.gouv.fr)
Délibération SAN-2021-024 du 31 décembre 2021 – Légifrance (legifrance.gouv.fr)