French regulators today ordered Google and Facebook to make rejecting cookies as simple as accepting them and fined the companies a total of €210 million for failing to comply with France’s Data Protection Act.
The CNIL (Commission Nationale de l’Informatique et des Libertés) said that “facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies” but “do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.”
The process making it harder to reject cookies than to accept them “affects the freedom of consent of Internet users and constitutes an infringement of Article 82 of the French Data Protection Act,” the CNIL said. The agency announced fines of €150 million for Google and €60 million for Facebook and said it “ordered the companies to provide Internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent, within three months. If they fail to do so, the companies will have to pay a penalty of 100,000 euros per day of delay.”
The CNIL said it has received many complaints from users about both companies. In its announcement of the Google fine, the CNIL said it determined that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the ‘I accept’ button.” With Facebook, “in order to refuse the deposit of cookies, Internet users must click on a button entitled ‘Accept cookies,’ displayed in the second window… such a title necessarily generates confusion and… the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it.”
Fines based on ad revenue
The agency said it calculated each fine based on “the number of data subjects concerned and the considerable profits the company makes from advertising revenues indirectly generated from the data collected by the cookies.” But the penalties won’t make much of a dent in either company’s revenue. Google owner Alphabet reported $65.1 billion in revenue and $18.9 billion in net income in its most recent quarter, while Facebook reported $29 billion in revenue and $9.2 billion in net income.
New cookie rules for websites and mobile applications took effect on March 31, 2021. Since that date, “the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies,” the agency said.
Google and Facebook vague on planned changes
When contacted by Ars, neither Google nor Facebook said exactly how they will change their cookie policies to comply with the ruling. A Google spokesperson said, “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”
Facebook owner Meta told Ars, “We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”