French data protection authority fines Facebook and Google for their cookie policy
The French data protection authority (Commission on Information Technology and Liberties, CNIL) has fined Facebook and Google with EUR 60 mio. resp. EUR 150 mio. for non-compliance with data protection law. According to the authority, the websites facebook.com, google.fr and youtube.com do not make refusing cookies as easy as to accept them.
According to the CNIL’s press release, the CNIL has noted that the three above-mentioned websites would offer a button allowing the user to immediately accept cookies. However, they would not provide an equivalent solution (button or other) enabling the internet user to easily refuse the deposit of these cookies. Several clicks would be required to refuse all cookies, against a single click to accept them. The CNIL considered that this process would affect the freedom of consent: since, on the internet, the users would expect to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them would influence their choice in favour of consent. This would constitute an infringement of French data protection law and of the EU General Data Protection Regulation (GDPR).
In addition to the fines, the CNIL ordered the companies to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them within three months. If they fail to do so, the companies will have to pay a penalty of EUR 100’000 per day of delay.