Google and Facebook fined by French watchdog over cookie policies

6 Jan 2022

Image: © prima91/Stock.adobe.com

The companies now have three months to make it easier for French users to reject cookie tracking technology on their websites.

France’s data regulator has fined Google €150m and Facebook €60m over their cookie policies.

The CNIL said today (6 January) that the websites Facebook.com, Google.fr and YouTube.com do not allow users to refuse tracking cookies as easily as accepting them.

The watchdog noted that these sites offer a button allowing users to immediately accept cookies. But there is no equivalent button for rejecting and several clicks are needed to refuse all cookies.

It said that this “infringes the freedom of consent” as it “skews” the choice of users in favour of accepting cookies with a quicker process.

“Making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the consent button for cookies in the first window,” it stated in relation to the Facebook fine.

As a result, the CNIL has hit Google with two fines totalling €150m, including €90m for Google and €60m for Google Ireland. A €60m fine has also been levelled at Facebook’s Irish arm.

Google and Facebook now have three months to introduce changes for French users, providing an option to refuse cookies as easily as the current method of accepting them. The CNIL said that if changes are not made in that time frame, the companies will each have to pay a €100,000 fine per day.

A Google spokesperson said the company is committing to “further changes and active work with the CNIL”, while a spokesperson for Facebook parent company Meta said it is reviewing the decision and remains “committed to working with relevant authorities”.

ePrivacy

As both Google and Facebook have European headquarters in Dublin, Ireland’s Data Protection Commission is generally responsible for data protection fines under GDPR.

However, the CNIL is taking action under the European ePrivacy Directive, which is transposed in France’s Data Protection Act. These rules govern the privacy of communications, cookies and user tracking.

It is not the first time the French regulator has targeted tech companies for their cookie policies under the ePrivacy rules. In 2020, it fined Google €100m and Amazon €35m for dropping tracking cookies without consent.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Sarah Harford was sub-editor of Silicon Republic

editorial@siliconrepublic.com