It takes more clicks to reject their cookies than accept them, so France fines Facebook and Google over €200m

Google and Facebook have come a little unstuck in the cookie department as French watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) slapped the pair with a €150m and €60m fine respectively.

The CNIL kicked off its investigations after receiving complaints regarding the way cookies can be refused on facebook.com, youtube.com and google.fr. The crux of the matter is that while there is a button to permit immediate acceptance of cookies, there is not the equivalent to refuse them as easily. "Several clicks are required to refuse all cookies, against a single one to accept them," explained the CNIL.

"The restricted committee," it went on, "considered that this process affects the freedom of consent: since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent. This constitutes an infringement of Article 82 of the French Data Protection Act."

Both fines have similar reasoning behind them. Google LLC was fined €90m while Google Ireland was fined €60m. Facebook Ireland's fine stands at €60m. The companies have three months to give internet users located in France a means to refuse cookies that is as simple as accepting them. "If they fail to do so, the companies will have to pay a penalty of €100,000 per day of delay," said the CNIL.

The Register asked the tech giants for their take on the fines, which follow the expiration of a deadline on 31 March 2021 for websites and mobile applications to comply with the rules.

A Meta spokesperson told us: "We are reviewing the authority's decision and remain committed to working with relevant authorities.

"Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls."

A Google spokesperson said: "People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive."

• SlimPay fined €180k after 12 million customers' bank data publicly accessible for 5 years
• Luxembourg judge hits pause on Amazon's daily payments of disputed $844m GDPR fine
• Facial recog firm Clearview hit with complaints in France, Austria, Italy, Greece and the UK
• EU court rules Right To Be Forgotten doesn't apply outside member states

The ePrivacy directive is concerned with the privacy of communications, violations of which have enabled the CNIL to take direct action. Action under GDPR would have resulted in the Irish Data Protection Commission (DPC) taking the lead since both Google and Facebook entities are based in Ireland and only the privacy agency in the country where a company is established can enforce things. Just ask WhatsApp.

We asked independent privacy researcher and consultant Dr Lukasz Olejnik if other countries might follow France's lead.

"This is unlikely," he said. "And even France was only able to pursue this case because the EU is unable to agree on the final ePrivacy Regulation. If it was in force, the responsibility would likely stop stay with the Irish DPC who might happen to have different priorities.

"It is also unlikely because it requires motivation and 'guts' to do this. And some EU countries deployed the old ePrivacy Directive in ways that effectively paralyse enforcement of the kind," he added.

"It seems that France remains on the forefront of data protection enforcement."

As for what Google and Facebook might have to do, Olejnik said: "Technically it is a very simple change. UX-wise it might be harder to swallow for the companies."

He went on to note that a literal adoption of the definition of consent would require the rethinking of some business processes. "Yet, it seems that not doing so may be costly," he concluded.

Facebook reported over $28bn in revenue in its last set of quarterly results (an increase of 33 per cent on the previous year) and Alphabet (Google) notched up [PDF] $65.1bn. ®