France tops cookie enforcement in Europe. Tips to avoid fines

TikTok, Microsoft, Apple and Voodoo have all received multi-million euro fines from the French regulator in the past six weeks. These are just a few examples of the many companies penalised for violating France’s rules on cookies. 

Out of all of Europe’s regulators, the French “CNIL” is the most active in pursuing companies that break the EU’s online tracking advertising laws. 

Yes, France takes cookies very seriously. Digital cookies, that is—though edible cookies, too, of course (everyone loves a delicious macaron). 

But why are all these cookie-related fines coming out of France? Let’s find out where these companies went wrong and explore what makes the CNIL Europe’s ultimate cookie caretaker. 

Four fines in ten days 

Between 19 and 29 December 2022, the CNIL hit four companies—Microsoft, Apple, TikTok and Voodoo—with fines over how they collected consent for cookies. 

Few privacy watchers were surprised by this spate of regulatory action. The CNIL is notorious for issuing multi-million euro cookie penalties, while other regulators are less ferocious in this area of privacy compliance. 

Several of the largest data protection fines of all time were issued by France for non-compliance with EU cookie rules, including a €90 million against Google LLC and €60 million against Facebook, both issued in December 2020. 

Not only were these sanctions higher than other tracking-related penalties issued elsewhere—they were also imposed on companies whose main European establishment is not in France. 

Why France is different 

So what makes France Europe’s true cookie monster? This partly has to do with how EU law works. 

Europe’s online tracking rules mostly come from the ePrivacy Directive.  

Unlike its better-known cousin, the General Data Protection Regulation (GDPR), the ePrivacy Directive allows regulators to act directly against companies that are mainly based outside of their jurisdiction. 

So under the GDPR, the CNIL would need to refer French complaints to another regulator and then possibly wait several years for an outcome. Under the ePrivacy Directive, France can take action directly in response to complaints from people in France. 

And then there are the fines. The ePrivacy Directive has a much lighter penalty regime than then GDPR, which allows regulators to impose fines of up to 4% of turnover or €20 million. 

However, France implemented the ePrivacy Directive under its Data Protection Law, tying the penalty structure to that of the GDPR. This means the CNIL punish cookie breaches with the sorts of eye-watering multi-million euro penalties normally reserved for GDPR violations. 

This means that any company with a website accessible in France is at risk of harsh enforcement action from the CNIL. 

Three rules from recent French cookie decisions 

Now let’s look at some of France’s most recent cookie-related decisions, all adopted since mid-December 2022, to see what practices lead the CNIL to sanction companies.  

Three clear rules emerge from these decisions: 

1. Get consent 
2. Get consent properly 
3. Be transparent

Rule number 1: Get consent 

Microsoft received a €60 million fine on 19 December 2022 due to its cookie consent practices on the Bing search engine. 

The CNIL noted that the company pushed two cookies onto its users without requesting consent at all. One of these cookies was for advertising purposes, and the other cookie reportedly had “multiple purposes”, including “the fight against advertising fraud”. 

A similar issue arose regarding a €3 million fine against games company Voodoo, issued 29 December 2022. 

The CNIL found that Voodoo was setting Apple’s ID for Vendors (IDFV) on users’ devices even after they had refused consent for tracking via the iOS “App Tracking Transparency” (ATT) pop-up. 

A reminder: It’s not only marketing and most analytics cookies that require consent under EU law—it’s any cookies that are not classed as “essential” or “strictly necessary” under the ePrivacy Directive. 

Rule number 2: Get consent properly 

On several occasions, the CNIL has sanctioned companies for making it harder to refuse consent than to accept consent. 

One example is the aforementioned Microsoft decision. The regulator found that where Microsoft was asking for Bing users’ consent, the company was not doing so fairly. 

“Two clicks were needed to refuse all cookies, while only one was needed to accept them,” the regulator noted in its press release about the fine. 

In a fine against TikTok issued on 29 December 2022, the CNIL made similar findings: the company was fined partly because “it was not as easy to refuse cookies as to accept them”. 

Under the ePrivacy Directive (implemented under France’s Data Protection Law), “consent” means “GDPR standard consent”. That means consent must be freely given, specific, informed, unambiguous and provided via a “clear, affirmative action”. 

In the cookie context, this partly means providing two equally accessible options to “accept” or “refuse” cookies. Don’t hide the “refuse” option. 

Rule number 3: Be transparent 

In addition to getting GDPR-standard consent for non-essential cookies, you must provide GDPR-standard information about what those cookies are for. 

In the CNIL’s recent TikTok decision, the regulator notes that users “were not informed in a sufficiently precise manner” of the reason that TikTok wanted to set cookies on its users’ devices. 

TikTok reportedly failed to make information about its cookies sufficiently clear—either on the cookie consent window itself or the “settings” menu accessible from the window. 

EU law requires website and app operators to provide transparent information about the cookies they use. This means providing some concise information on the cookie consent mechanism itself, and then more detailed information in a privacy or cookies notice. 

Users must be told about the names and purposes of specific cookies used on a website or app, together with information about the length of time cookies persist on the user’s device and any third parties with whom their data might be shared.