A restricted committee of France’s National Commission for Information and Liberty (CNIL) held Google and Facebook Ireland, the headquarters for Facebook’s activities in Europe, liable in separate judgments Thursday for violating the French Data Protection Act (DPA) since the processes by which users can reject cookies on these sites is significantly more complex than that for accepting cookies.
Under Article 82 of the DPA, any action through which an electronic communication service accesses or enters information in a user’s terminal equipment (such as the storage of cookies) requires the user’s consent. The user must be “clearly and fully informed” of both the purpose of any such action and the means to oppose it. Under Article 4 of the European Union’s General Data Protection Regulation (GDPR), consent must be specific and manifested as a positive act. Recital 42 of the GDPR explains that consent is not free if the user is unable to “refuse or withdraw consent without suffering prejudice”.
CNIL noted that while a button to “accept all cookies” was readily provided in a pop-up on visiting Facebook (“facebook.com”), there was no such button to reject cookies. The process for rejecting cookies involved selecting “manage data parameters”, taking the user to a second window where she would have to leave two sliders for personalized advertisements disabled by default and again select “accept all cookies”. Similarly, on Google (“google.fr”) and its subsidiary YouTube (“youtube.com”), the process for rejecting cookies must select “personalize” on the first window instead of “I accept”, which leads to a second window for customization. The complicated and confusing process to reject cookies meant users could not truly exercise “free” choice. CNIL noted research showing 93% of Internet users do not go past the first window on cookie banners. It also referred to its 2020 recommendation to controllers to provide for acceptance and rejection with the “same degree of simplicity”.
Google and Facebook Ireland have been fined €150 million and €60 million respectively, given the millions of users affected and the considerable profits made by these companies by selling data from cookies to advertisers. CNIL also placed an injunctive penalty; the companies must make the means to reject cookies as easy as to accept them within three months or pay €100,000 for each day of delay.