Skip to main content

Cookie consent: Record fines for Google and Facebook by CNIL

Google and Facebook issued huge fines after being caught with their hand in the cookie jar.

The French Regulator, CNIL, has fined Google and Facebook a combined total of €210 million (£177 million) for breaching EU data privacy Regulations which made it more difficult for users to reject cookies than accept them.

What are cookies?

We are all familiar with cookie banners popping up when we visit a website. Cookies are small files of electronic data that are used to identify your computer while using the network. Privacy advocates have campaigned against them as sites can use cookies to monitor users, but they are also extremely valuable to companies like Google and Facebook as they allow them to personalise their advertising.

What is the development?

The EU and UK have stricter data privacy laws than the US. The E-privacy directive implemented by the GDPR requires websites to ask for consent to non-essential cookies before placing them on devices and tracking a user’s activity. Google and Facebook were found to have infringed Article 82 of the French Data Protection Act after the regulator found that French users only had to click once to consent to cookies but there was no equally easy way to refuse them. Users had to follow a much more complex process which influenced the user’s choice in favour of consent.

CNIL Sanctions

CNIL fined Google €150 million (£126 million) and Facebook €60 million (£50 million). The regulator has also said that the companies have 3 months to rectify their processes otherwise they will impose a further penalty of €100,000 (£84,000) a day until the websites are compliant. It said the level of the fines was justified by the scope and number of users affected, as well as taking into account the considerable profits made indirectly from advertising revenue generated from the data collected from the cookies. It had also previously brought Google’s infringing practices to its attention and therefore considered that it had deliberately violated the law.

What does this mean?

Although the decision is under French law, the same principles apply across the EU and in the UK. Both companies have said that they are reviewing their policies in light of the decision and intend to develop and improve the controls that users have over their data and right to privacy. We will therefore have to wait and see whether Google and Facebook make any changes to their domains outside of France.

A sign of things to come?

While the courts have taken a more favourable stance with big tech companies on these issues, (Lloyd v Google LLC), this decision is perhaps a warning sign that regulators will take a particularly tough stance on data protection and non-compliance with cookie legislation. In particular, the CNIL has stated that it would make compliance with obligations relating to targeted advertising and tracking of internet users a strategic priority. Although Google and Facebook are tech giants, it is clear that the level of such fines is meant to act as a deterrent, and it is likely that we will see many more eye-watering fines to come if businesses do not strictly adhere to cookie rules.

For expert advice in relation to all aspects of data protection, information governance, privacy, cyber liability and electronic communications contact our team of leading data protection solicitors.