Google and Facebook are facing hefty fines, €150 million and €60 million respectively, in France for violating EU privacy rules. CNIL, the French data regulator, said both companies failed to allow French users to easily reject cookie tracking technology.
The restricted committee considered that this process affects the freedom of consent, since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.
The restricted committee ordered both companies to provide Internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent, within three months. If Google and Facebook fail to do so, they face a daily penalty of €100,000.
This is part of the global compliance strategy initiated by CNIL over the past two years with French and foreign actors publishing websites with a lot of visits and having practices contrary to the legislation on cookies.
A spokesperson for Meta, Facebook’s holding company, said they are reviewing CNIL’s decision and remain committed to working with relevant authorities. “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
A Google spokesperson said people trust the company to respect their right to privacy and keep them safe. “We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”
The French regulator had fined Amazon and Google €35 million and €100 million respectively in December 2020 for cookie violations under the ePrivacy rules. CNIL had also fined Google an additional €50 million under the General Data Protection Regulation (GDPR).