Bite more than they can chew? French regulator imposes more cookie fines on Big Tech
On the last day of 2021, the French regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed fines on Facebook Ireland Limited, Google LLC and Google Ireland Limited for non-compliance with French privacy law. Datas. The rulings, while somewhat controversial, should give companies more incentive to make sure their cookie policies are in order (see here for advice).
Fine from Facebook related to users’ difficulty in refusing cookies on facebook.com: for example, refusing cookies required clicking on a page called “Accept cookies”. Facebook was found to have breached French data protection law (which implements the ePrivacy Directive). He was sentenced to a fine of 60 million euros and an injunction to make refusing cookies as simple as accepting them, with a fine of €100,000 per day in the event of non-compliance.
Google’s fine amounted to 150 million euros for google.fr and youtube.com. The CNIL found that it was easier for users to accept all cookies (with one click) than to refuse them (requiring several clicks), affecting users’ freedom of consent. The fine was accompanied by an injunction similar to that of Facebook.
What was the rationale?
The amount of these fines was based on the number of people affected and the “considerable profits…of advertising revenue generated indirectly from the data collected by the cookies”. The CNIL also noted that it had notified Google in February 2021 of its infringement and referred to its previous communications issuing guidelines.
What about the GDPR “one stop shop”?
The CNIL was not deterred from asserting its competence by the cooperation and consistency mechanism of the GDPR (the “one-stop shop” where the “main supervisory authority” of a party – which for both organizations would have been the Irish DPC – is responsible for enforcement actions across the EU). Its rationale was that its enforcement action was based on the ePrivacy Directive, and therefore the GDPR one-stop-shop did not apply.
However, this argument has not been universally approved. CNIL decisions (here and here) indicate that the companies have breached the French provision implementing Article 5(3) of the ePrivacy Directive (according to which consent is the only legal basis for cookies), but also note that the ePrivacy Directive references the GDPR for its definition of consent. As such, some commentators have suggested that action should have been taken in Ireland under the GDPR one-stop-shop – as the businesses themselves have argued. Other comments express concerns about fragmentation within the EU.
That said, the one-stop-shop itself has been criticized (by, among others, EDPS Wojciech Wiewiórowski during a roundtable in 2021). Additionally, the CJEU confirmed in 2021 (in another cookie case involving Facebook, cited in CNIL decisions) that in certain circumstances the GDPR allows any EU national data protection authority – not just the supervisory authority – to pursue a confidentiality action with regard to cross-border data processing where “the subject matter only concerns an establishment located in its own Member State or does not substantially affect data subjects than in that Member State”, or where urgent action is required.
Do cookies insinuate themselves into the application program?
The CNIL has been particularly active recently in their application of cookies. These sanctions follow the previous fines in terms of cookies that it imposed on Google, in particular for 135 million euros in December 2020 (see our Lens article). However, there are reasons to believe that other regulators may begin to follow suit. As cited in the CNIL decisions, the Spanish authority has also imposed several cookie-related sanctions exclusively based on their provisions implementing the ePrivacy Directive (and therefore outside the GDPR one-stop shop). The EDPB set up a cookie banner taskforce in September 2021, partly in response to the noyb cookie project. This privacy campaign group (chaired by Max Schrems) is actively reaching out to organizations and filing complaints with regulators as part of a campaign to increase cookie compliance.
In the meantime, Italian regulator Garante has issued updated guidelines on cookies and other tracking tools, which it deemed necessary in light of trends, including: (i) incorrect implementation of the rules; (ii) numerous complaints received; (iii) the “ever-increasing diffusion of new technologies characterized by an increasing level of ubiquity”; and (iv) the “multiplication” of users’ online identities, where “matching” could allow the creation of “increasingly specific and detailed profiles”.
What about UK organisations?
Although the CNIL justified these large fines due to the reach and advertising revenue of Facebook and Google, other website operators – especially those with operations in France – should take note. UK organizations can also expect the ICO (which regulates the UK ePrivacy regime as well as the UK GDPR) to keep a close eye on its European counterparts when it comes to their enforcement activities in this space.
Internet users in the UK, like those in the EU, will recognize that it is often easier to accept all cookies on a website than to refuse them. Although EU and UK law does not expressly cover this point, the regulator’s guidelines do. The UK cookie guidelines state that emphasizing “accept” or “allow” cookie options over “reject” or “block” cookie options “represents a non-compliant approach”, as the service online influence users towards the “accept” option. .
That said, at present the ICO fine options under the UK ePrivacy Regime (PECR) are more limited than in France. UK PECR fines are capped at £500,000, while French data protection law (which covers both the ePrivacy Directive and GDPR) allows maximum fines of 2% of annual worldwide turnover or 10 million euros. However, this could change in the UK, where these maximum fines are being reviewed as part of the government’s general review of data laws – see our blog for more information.
“complicating the opt-out mechanism actually discourages users from opting out of cookies and encourages them to opt in to the ease of the cookie consent button in the first window”