France’s National Commission on Informatics and Liberty (CNIL), the country’s data privacy and protection body, has announced a 60 million euro ($68 million) sanction against Facebook and a 150 million euro ($170 million) penalty against Google.
The fines are for making it difficult for website visitors to reject tracking cookies by hiding the option behind multiple clicks.
Both Facebook and Google allow visitors to their website to accept the entire set of cookies in a single action by pressing a button available on the first page.
Rejecting the cookies, though, is a manual, discouraging process that requires users to disable them one by one.
As such, the committee that investigated the case following multiple complaints from French users established that Facebook and Google are:
- Making the cookie refusal mechanisms unnecessarily complicated
- Discouraging users from refusing cookies
- Encouraging users to give their consent to personal data collection
The practice is considered an infringement of the freedom of consent of internet users, and as such, it violates Article 82 of the French Data Protection Act.
Poor attempts to remediate the issues
CNIL has informed the two companies a few months ago of the violations and received assurances that the issues would be corrected.
On December 2021, Facebook sent screenshots with a new interface for cookie management, claiming improvements in the mechanism that no longer favored acceptance.
However, the committee found that refusing the cookies remained cumbersome and accepting them was still easier.
As a result, today CNIL announced an administrative fine of 60 million Euros against Facebook Ireland Ltd. and an additional 100,000 Euros per day of delay of compliance, starting from March 2022.
The same deadline and delay penalties were announced for Google, the 150 million Euro fine being split between Google LLC and Google Ireland Ltd., 90 million Euros and 60 million Euros respectively.
In November last year, the Italian competition authority hit Google with a fine of 10 million Euros for aggressive data collection by default.
The Italian investigators found that Google was activating user options for the acceptance to collect, transfer and use their data for commercial purposes by default.
A Google spokesperson has shared the following statement with Bleeping Computer:
People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive
A Facebook spokesperson has responded to our request a comment with the statement below:
We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls