Google and Facebook have come a little unstuck in the cookie department as French watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) slapped the pair with a €150m and €60m fine respectively.
The CNIL kicked off its investigations after receiving complaints regarding the way cookies can be refused on facebook.com, youtube.com and google.fr. The crux of the matter is that while there is a button to permit immediate acceptance of cookies, there is not the equivalent to refuse them as easily. "Several clicks are required to refuse all cookies, against a single one to accept them," explained the CNIL.
"The restricted committee," it went on, "considered that this process affects the freedom of consent: since, on the internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent. This constitutes an infringement of Article 82 of the French Data Protection Act."
The Register asked the tech giants for their take on the fines, which follow the expiration of a deadline on 31 March 2021 for websites and mobile applications to comply with the rules.
A Meta spokesperson told us: "We are reviewing the authority's decision and remain committed to working with relevant authorities.
"Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls."
A Google spokesperson said: "People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive."
- SlimPay fined €180k after 12 million customers' bank data publicly accessible for 5 years
- Luxembourg judge hits pause on Amazon's daily payments of disputed $844m GDPR fine
- Facial recog firm Clearview hit with complaints in France, Austria, Italy, Greece and the UK
- EU court rules Right To Be Forgotten doesn't apply outside member states
The ePrivacy directive is concerned with the privacy of communications, violations of which have enabled the CNIL to take direct action. Action under GDPR would have resulted in the Irish Data Protection Commission (DPC) taking the lead since both Google and Facebook entities are based in Ireland and only the privacy agency in the country where a company is established can enforce things. Just ask WhatsApp.
We asked independent privacy researcher and consultant Dr Lukasz Olejnik if other countries might follow France's lead.
"This is unlikely," he said. "And even France was only able to pursue this case because the EU is unable to agree on the final ePrivacy Regulation. If it was in force, the responsibility would likely stop stay with the Irish DPC who might happen to have different priorities.
"It is also unlikely because it requires motivation and 'guts' to do this. And some EU countries deployed the old ePrivacy Directive in ways that effectively paralyse enforcement of the kind," he added.
"It seems that France remains on the forefront of data protection enforcement."
As for what Google and Facebook might have to do, Olejnik said: "Technically it is a very simple change. UX-wise it might be harder to swallow for the companies."
He went on to note that a literal adoption of the definition of consent would require the rethinking of some business processes. "Yet, it seems that not doing so may be costly," he concluded.