Google and Facebook have both been found in violation of the French Data Protection Act.
Following complaints on the way cookies can be refused on facebook.com, google.fr, and youtube.com, French data protection agency CNIL (Commission Nationale de l'Informatique et des Libertés) carried out probes and concluded that the websites committed breaches.
“The restricted committee, the body of the CNIL responsible for issuing sanctions, has noted, following investigations, that the websites facebook.com, google.fr, and youtube.com offer a button allowing the user to immediately accept cookies,” explained the CNIL in a release. “However, they do not provide an equivalent solution (button or other) enabling the internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.
“The restricted committee considered that this process affects the freedom of consent: since, on the internet, the user expects to be able to quickly consult a website; the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favour of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.”
The CNIL asserted that refusing cookies should be as easy as accepting them. To penalise non-compliance with French legislation, the authority’s restricted committee issued a €90 million fine against YouTube owner Google LLC and €60 million against Google Ireland Limited (or €150 million against Google in total), and €60 million against Facebook Ireland Limited.
Facebook Ireland is said to be the data controller of the Facebook service in the European region. Similarly, Google Ireland is described as the European head office of the Google group.
It’s unclear whether the two tech giants are insured against such data protection fines.
Meanwhile, the CNIL also announced: “In addition to the fines, the restricted committee ordered the companies to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent, within three months. If they fail to do so, the companies will have to pay a penalty of €100,000 per day of delay.
“These two decisions are part of the global compliance strategy initiated by the CNIL over the past two years with French and foreign actors publishing websites with a lot of visits and having practices contrary to the legislation on cookies.”