The CNIL, France's data protection authority, fined Facebook 60 million euros and Google 150 million euros for improperly configuring their cookie policies.
The CNIL received several complaints regarding the method for opting out of cookies on the websites facebook.com, google.fr, and youtube.com, based on which it conducted an investigation. The investigation found that these websites’ cookie banners offer a simple option to accept all cookies but do not provide an equivalent option to reject the cookies being offered. If an internet user wishes to reject the cookies offered, they must click through multiple settings to do so.
The process used on these websites contradicts the concept of free consent: since internet users expect pages to load quickly and to have rapid access to the content of the visited website, but in reality cannot refuse the offered cookies as easily as accepting them, this influences their choice in favor of consent—we can thus speak of a form of coerced consent. This constitutes a violation of Article 82 of the French Data Protection Act. The consequences of this violation are the aforementioned fines totaling 210 million euros. In addition, the authority ordered the companies to allow French users to opt out of cookies as easily as they can opt in —to ensure freedom of consent—within three months. For each day of delay, the companies will pay a fine of 100,000 euros.
Facebook and Google are companies currently facing several ongoing investigations regarding data protection. The Irish Data Protection Commission (hereinafter “DPC,” which, under the EU General Data Protection Regulation (GDPR), serves as a single point of contact (OSS) and acts as a quasi-centralized enforcer for most major tech companies) is currently handling several complaints regarding problematic consent practices on their websites. However, the DPC’s handling of such complaints has proven to be “slow,” and the DPC has even been accused of restricting its oversight of tech giants in connection with the GDPR, thereby creating an obstacle to the effective enforcement of the regulation itself. It is possible that, in light of this fact, the French authority decided to take action against the companies under earlier EU legislation—the ePrivacy Directive—which grants national agencies jurisdiction over their own territories. The French are therefore seeking various ways to apply the GDPR’s personal data protection standards at the national level, despite the blockade by the Irish DPC.
Sources:
https://www.theverge.com/2022/1/7/22871719/france-fines-google-facebook-cookies-tracking-dark-patterns-eprivacy#comments
https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance
https://www.bbc.com/news/technology-59909647
https://techcrunch.com/2022/01/06/cnil-facebook-google-cookie-consent-eprivacy-breaches/
https://techcrunch.com/2021/11/01/digging-into-googles-push-to-freeze-eprivacy/
