The French Data Protection Authority – CNIL (Commission Nationale de l’Informatique et des Libertés) fined Facebook €60 million and Google €150 million for non-compliance with the French Data Protection Act.
Facebook is a social media giant with over 2.895 billion monthly active users, and at least 1.908 billion people use Facebook every day.
Google, on the other hand, is the most visited website in the whole world, with over 92 billion visits last March of 2021. And did you know that 92.41% of the search engine segment is controlled by Google?
After numerous complaints and online investigations, CNIL concluded that both Facebook and Google failed to make it as easy to reject cookies as it is to accept them.
While websites offer a button allowing a single click to accept cookies, they do not provide an equivalent solution that would allow users to refuse cookies just as easily.
The fine was issued by French CNIL rather than the Irish Data Protection Commission (lead supervisory authority for Facebook and Google) as cookies fall under the ePrivacy Directive, which is embedded into French Data Protection Act and not GDPR.
However, GDPR still regulates consent, and therefore, fines can qualify as a GDPR fine.
Facebook €60 million fine
On the last day of 2021, CNIL issued a €60 million fine to Facebook Ireland Limited.
The investigation, which started in April, uncovered that, as opposed to a single button to accept cookies, Facebook requires several clicks to refuse cookies.
In addition, the button to refuse cookies is located at the bottom of a second page and was labeled “Accept cookies,” which was not only confusing but also misleading.
Google €150 million fine
In June 2021, the CNIL carried out an online investigation on websites google.fr and youtube.com and found that, while Google offers a button allowing users to immediately accept cookies, to reject them, they have to go through at least five different actions.
Following the investigation, the CNIL issued a €150 million fine to Google (€90 million fine to Google LLC and €60 million for Google Ireland Limited) on account of their findings.
The restricted committee, the CNIL body in charge of issuing sanctions, stated that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the “I accept” button“.
Conclusion
Both Google and Facebook ignored cookie recommendations and cookie guidelines that clearly state that organizations must offer to users the possibility to accept or refuse online trackers with the same degree of simplicity.
The CNIL ordered the companies to provide users in France with a means of refusing cookies as simple as the existing means of accepting them within three months.
If they fail to do so within three-months time, the companies will have to pay a penalty of €100 thousand per day of delay.
The amount of the fine is determined considering the number of data subjects involved, the scope of processing, and the profits of companies, which are mostly generated through the company’s advertising streams based on cookies.