Cookies: CNIL sanctions Google and Facebook for non-compliance with the rules on refusing cookies

Cookies: CNIL sanctions Google and Facebook for non-compliance with the rules on refusing cookies

On 31 December 2021, the French data protection authority (CNIL) has issued a sanction against two companies of the GOOGLE Group (GOOGLE LLC and GOOGLE IRELAND LIMITED) and the company FACEBOOK IRELAND LIMITED for failure to comply with Article 82 of the French Data Protection Act of 6 January 1978 as amended.

The CNIL states that it has received several complaints concerning the methods of refusing the use of cookies on the following websites:

  • ;
  • ;

Following checks, the CNIL found that the above-mentioned websites offered a button for accepting cookies but no equivalent solution to allow Internet users to refuse cookies.

Several clicks were necessary to refuse all the cookies, whereas a single click on the button provided for this purpose (“I accept” or “Accept cookies”) was sufficient to accept them all.

The CNIL considered that Internet users could not refuse the use of cookies as simply as they accepted them. A complex process for refusing cookies discourages users and encourages them to accept cookies for convenience. Such a practice undermines the freedom of consent of Internet users and constitutes a violation of Article 82 of the Data Protection Act.

Consequently, the CNIL imposed the following financial penalties:

  • 150 million euros against GOOGLE (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED);
  • 60 million against FACEBOOK IRELAND LIMITED.

The CNIL also ordered the companies to comply within 3 months and to implement a solution allowing Internet users located in France to refuse cookies as easily as to accept them. If they fail to do so, the companies will have to pay a penalty of 100,000 euros per day of delay.

Délibération SAN-2021-023 du 31 décembre 2021 – Légifrance (

Délibération SAN-2021-024 du 31 décembre 2021 – Légifrance (

Brexit and transfer of personal data to UK

Brexit and transfer of personal data to UK

European Data Protection Board (EDPB) has adopted on 12 February 2019 an information note on data transfers under the GDPR in the event of a no-deal Brexit.

EDPB confirms that as of 30 March 2019, unless an adequacy decision is adopted by the European Commission by then, data transfers must be based either on:

  • standard data protection clauses,
  • binding corporate rules
  • codes of conduct
  • derogations (strictly interpreted).

It is therefore recommended to:

  • identify the data processing which imply a data transfer to the UK,
  • amend the contract with appropriate clauses,
  • update internal documentation (register of processing operations),
  • update privacy notice.