The French data protection authority (CNIL) recently fined Google and Facebook with high fines for failing to obtain cookie consent in compliance with French data protection law. Both companies did not ensure that refusing cookies is as simple as accepting them. In this article we will show you what this means for your company.
High fines for insufficient cookie consent
CNIL issued a combined fine of EUR 150 million against two Google subsidiaries and a EUR 60 million fine against Facebook. CNIL based its decisions on the fact that users are not able to reject cookies on some of Googles’ and Facebooks’ websites as easily as they can accept them.
In Google’s case, on the websites google.fr and youtube.com, cookies could be accepted with just one click, but several clicks were necessary to reject them. Also in Facebook’s case, on facebook.com, several clicks were necessary to refuse cookies. Moreover, users had to click on a button titled “Accept cookies” to refuse cookies, which is also misleading.
Based on this, CNIL argued that Google and Facebook violated Article 82 of the French Data protection Act, which implements Art. 5 (3) of the ePrivacy Directive into French national law. Hence, similar provisions exist in all EU countries. Art 5 (3) stipulates that cookies or similar technologies may only be used with prior consent of the data subject.
Google and Facebook now have to adjust their websites in order to comply with French law within three months. For each day of delay they will have to pay EUR 100,000.
Importance of obtaining cookie consent in compliance with data protection law
The decision by the French data protection authority sets an important precedent. Hence, it becomes even more important for your company to ensure that you obtain valid user consent, if you use cookies. This is especially the case as consumer associations are issuing more and more complaints against companies with non-compliant cookie banners (e.g. privacy advocate Max Schrems’ organisation noyb) and are also increasingly bringing cases on behalf of individuals to supervisory authorities and courts.
Valid consent for the use of cookies
Art. 5 (3) ePrivacy Directive stipulates that cookies or similar technologies may only be used with prior consent of the data subject. Exceptions exist only for cookies that are strictly necessary for the operation of the respective website, e.g. session cookies. For all other cookies, like advertising cookies or analysis cookies, website operators must obtain the informed consent of the users.
For consent to be valid, it has to be obtained before you collect any data through cookies and in compliance with the standard set out in Art. 4 (11) GDPR. Hence, it must be “freely given, specific and informed”. Therefore, information on the tracked data and the purposes of the tracking has to be provided in an easily understandable way. Moreover, as the CNIL fines showed again, it must be possible to reject and withdraw cookie as easily as accepting them.
More detailed information on how cookie consent can be validly obtained and how respective cookie banners should be designed can be found here.