French’s data protection regulator Commission National de L’informatique et des Libertes (CNIL) has fined big tech companies Facebook and Google for failing to adhere to local (and pan-EU) cookie consent rules. Facebook was fined €60M (~$68M) while Google was fined the sum of €150M (~$170M). According to the regulator, the fine follows after an investigation of how Google and Facebook present tracking choices to users in the country, after which the tech companies were found guilty of breaking the country’s rules on consumer data protection. The regulator also added that it acted after receiving numerous complaints.
The regulatory body concluded after its investigation that Facebook and Google do not provide a clear option for users to reject unimportant cookies, as clear as it is to accept these cookies. What this means is that Google and Facebook were using manipulative means to gain consent.
The press release by the CNIL reads “… the information given by the company is not clear since, in order to refuse the deposit of cookies, Internet users must click on a button entitled “Accept cookies”, displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act”.
According to EU law, for consent to be used as a basis for processing personal data, it has to be clear, specific, informed and freely given by its owner. All these, Facebook and Google were guilty of breaking.
Apart from the fines Facebook and Google received, Facebook and Google have been ordered by the regulator to make modifications to how cookie choices are presented to French users. A three months ultimatum was given to them to effect the change. The duo could face additional penalties of up to €100,000 daily for failure to comply after the ultimatum elapses.