The French Data Protection Authority – CNIL (Commission Nationale de l’Informatique et des Libertés) fined Facebook €60 million and Google €150 million for non-compliance with the French Data Protection Act.
After numerous complaints and following online investigations, CNIL concluded that both Facebook and Google failed to make it as easy to reject cookies as it is to accept them.
The fine was issued by French CNIL rather than the Irish Data Protection Commission (lead supervisory authority for Facebook and Google) as cookies fall under the ePrivacy Directive which is embedded into French Data Protection Act and not GDPR.
However, GDPR still regulates consents and therefore fines can qualify as a GDPR fine.
Facebook €60 million fine
On the last day of 2021, CNIL issued a €60 million fine to Facebook Ireland Limited.
Google €150 million fine
In June 2021, the CNIL carried out an online investigation on websites google.fr and youtube.com and found that, while Google offers a button allowing users to immediately accept cookies, to reject them, they have to go through at least five different actions.
Following the investigation, the CNIL issued a €150 million fine to Google (€90 million fine to Google LLC and €60 million for Google Ireland Limited) on the account of their findings.
The restricted committee, the CNIL body in charge of issuing sanctions, stated that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the “I accept” button“.
Both Google and Facebook ignored cookies recommendations and cookie guidelines that clearly state that organizations must offer to users the possibility to accept or refuse online trackers with the same degree of simplicity.
The CNIL ordered the companies to provide users located in France with a means of refusing cookies as simple as the existing means of accepting them, within three months.
If they fail to do so, within three-months time, the companies will have to pay a penalty of €100 thousand euros per day of delay.
The amount of the fine is determined considering the number of data subjects involved, the scope of processing, and the profits of companies, which are mostly generated through the company’s advertising streams based on cookies.