Facebook and Google user tracking controls attract €210 million fine
€210 million fine issued by CNIL
The French data privacy authority, the CNIL, has fined Google €150 million and Facebook €60 million, for data breaches relating to user tracking and cookies.
The CNIL’s decision
The CNIL fined both companies for making it difficult for users to refuse cookies. The investigations found several clicks were required to refuse all cookies, compared to a single click to accept them. The CNIL noted that, “when you accept cookies, it’s done in just one click…rejecting cookies should be as easy as accepting them.”
In particular, the CNIL pointed to youtube.com and Google’s video sharing platform as areas where it was difficult to reject cookies. In issuing its fine, the CNIL have given both Google and Facebook three months to comply with the order or face an extra penalty payment of €100,000 per day of delay. Both Google and Facebook must provide French internet users simpler tools for refusing cookies, in order to guarantee their consent.
Both companies have issued statements promising to review their cookie and user tacking controls.
The fine concerned the French Data Protection Directive Act, which implements the ePrivacy Directive in a manner similar to the Privacy and Electronic Communications Regulations (“PECR”) in the UK. The PECR requires that users or subscribers consent to cookies being placed or used on their device.
Cookies back in the firing line
Previously, the biggest fine levied by the CNIL was against Google in 2020, totalling approximately €100 million for unlawful cookie use.
The recent fine is another example of the French authority strengthening data protection and using the powers available to it. The CNIL’s highest fines to date have all concerned use of cookies.
It appears that the increased action by data authorities across Europe and the UK seen in 2020 and 2021 will continue into 2022. For any questions around ensuring your organisation’s lawful use of cookies, please contact our data privacy team.
Key Contacts :
Mike Hibberd
Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.
- Legal Director
- T: +44 (0)118 951 6765
- Email me
Piers Leigh-Pollitt
Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).
- Partner & Compliance Officer for Legal Practice
- T: +44 (0)118 951 6761
- Email me
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.