On Jan 6 2022, the French data protection authority (the CNIL) hit Google with two large fines totalling €150 million. The fines related to how Google implements cookie consent procedures on YouTube and Google Search.
On the same day, Facebook also received a €60 million fine for—fundamentally—the same reason.
Let’s look at how these tech giants slipped up, and how you can avoid making the same mistakes.
Google’s Cookie Consent Fine
As mentioned, Google received two CNIL fines, both coming as part of the one enforcement action: one against California-based Google LLC (which operates Google Search) and one against Google Ireland (which operates YouTube in Europe).
The basic problem here is a tale as old as the GDPR itself: Google made it too complicated to refuse consent to cookies.
Accepting cookies on YouTube and Google Search is easy. Simply click “Accept” on the cookie banner.
Refusing cookies is a little trickier. As part of its enforcement action, the CNIL pointed out that while accepting cookies required the user to make just one click, refusing cookies took several clicks.
Accepting and Refusing Consent
Under the GDPR, consent has a very specific definition. For the purposes of this decision, one important element of consent is that it must be “freely given.”
Being “freely given” means that giving and refusing consent must be equally easy for users.
If you want to allow users to accept cookies with just one click, they should also be able to refuse them with one click.
Facebook’s Cookie Consent Fine
Facebook’s Jan 6 GDPR fine was the company’s second-highest after the decision against WhatsApp last year.
The grounds for the decision were similar to those alleged against Google. But there’s one interesting detail that’s worth noting if you want to learn from Facebook’s mistakes.
Facebook’s cookie consent mechanism did allow users to refuse consent for cookies. Again, refusing was more complicated than accepting—but it was also a little confusing.
Whatever cookies settings users chose within Facebook’s consent mechanism, they still had to click a box labelled “Accept Cookies” in order to access the site—even if they opted out of all cookies.
As noted by the CNIL, this “generates confusion” because users may feel that “it is not possible to refuse the deposit of cookies and that they have no way to manage it.”
The message is clear: Use simple and easily-understandable language in all your privacy information.
France or Ireland?
You might be wondering why France issued these fines against two US-based companies that run their EU operations out of Ireland.
The CNIL handled this investigation because EU cookie rules are chiefly goverened by a 2002 law called the “ePrivacy Directive,” rather than the GDPR.
This means a regulator from any country can deal with an investigation into any website operator operating in its jurisdiction. The net is cast very widely.
But these decisions still count as GDPR penalties because the GDPR determines the EU’s definition of consent (which is the major problem in these cases).
Multi-Million Dollar Fines
The CNIL’s fine against Google Ireland was the third-highest GDPR fine of all time. And Facebook’s fine was the fourth-highest.
The fines could have been even higher: the GDPR allows for fines of up to 4% of a company’s global turnover, which would have been tens of billions of euros in both cases.
These fines reflect the large number of users accessing Google and Facebook’s services, and the phenomenal profits each company derives from their users’ personal data.
Smaller operations are not likely to receive such gigantic fines. But the CNIL, like many data protection authorities across Europe, is clearly getting tough on cookie fines—and any level of enforcement action can lead to unwanted costs, inconvenience, and reputational damage.