The CNIL sanctions Google and Facebook for not allowing users to easily refuse cookies

Cookies have been a hot regulatory topic for some time, particularly in France where the CNIL has ranked cookies in its top three investigative priorities for the past two years and has launched a variety of guidance and regulatory actions. ‘application. In this context, the French authority concluded the year 2021 with two significant decisions against Google and Facebook concerning the means of refusing cookies.

In both decisions, the CNIL criticizes Google and Facebook for not offering Internet users a means of refusing cookies as easily as they can accept them. The French authority imposed a total fine of 150 million euros on Google (90 million euros for Google LLC and 60 million euros for Google Ireland Limited) and a fine of 60 million euros on Facebook. He also enjoined both to “modify. . .the procedures for obtaining the consent of users located in France to the reading and/or writing of information in their terminal, by offering them a means of refusing these operations as simple as the mechanism for their acceptance “with a penalty payment daily allowance of €100,000 per day of delay in complying with the injunction after three months from the notification of the decision.

The sanction procedures were based on online investigations carried out by CNIL agents on the sites google.fr and youtube.fr (for Google) as well as facebook.fr (for Facebook). These investigations showed that while these three sites display a button to accept all cookies immediately on the first layer of the cookie notice, Internet users must go through several steps in secondary layers in order to refuse cookies. In the case of Facebook, the CNIL agents noted that, to confirm their choice concerning the deposit of cookies, users must click on a button entitled “Accept cookies” at the bottom of the second layer, even if they have chosen to refuse the deposit of cookies. cookies.

The CNIL – through its restricted commission which is the body responsible for pronouncing the sanctions – considered that the process described above infringes the freedom of consent of users and therefore its validity, within the framework of the rules of consent. more stringent requirements under the GDPR. The authority’s reasoning is that making the mechanism for refusing cookies more complex than accepting them would unduly influence users in favor of consent, especially since users expect to be able to consult websites quickly.

The position of the CNIL’s select committee is consistent with the CNIL’s doctrine on this issue, which the authority promoted in its cookie guidelines and imposed on other website publishers last year. Indeed, the French data protection authority has reported the sending of more than ninety formal notices to various website publishers during the year 2021, ordering them, among other things, to make refusing cookies as easy as accepting them.

Unlike the publishers of these other sites, Google and Facebook were not the subject of a prior formal notice by the CNIL but were directly the subject of a sanction procedure. Both companies argued that this difference in treatment violated the principle of equality before the law and should have invalidated the sanction proceedings. The CNIL’s restricted committee rejected this request on the grounds that the formal notice decision is at the discretion of the CNIL’s president and does not constitute a legal obligation. She also added that the two companies had recently faced sanction procedures over their cookie practices when they should have been particularly vigilant and aware of the action of the CNIL.

In both decisions, Google and Facebook also challenged the CNIL’s jurisdiction, both materially and territorially. First, they claimed that the GDPR one-stop-shop mechanism should have applied, thus excluding the CNIL’s jurisdiction to know and decide this case alone, since their two main places of establishment within the EU are the Ireland and not France. Secondly, they also argued that the CNIL had no territorial jurisdiction since the cookies were not deposited as part of the activities of their establishments in France. The select committee rejected both requests. In summary, the commission considers that the one-stop shop of the GDPR does not apply since the cookie rules in question stem from the e-Privacy Directive which constitutes a specific text and which, according to the commission, provides for its own implementation and enforcement mechanism that does not rely on the GDPR one-stop-shop. On territoriality, the select committee considered that the deposit of cookies was actually carried out within the framework of the activities of the French establishments of Google and Facebook. To reach this conclusion, it relied on the cases “Google Case”, “Wirtschaftsakademie” and “Facebook Belgium” of the CJEU in which the Court of the EU interpreted the concept of “processing carried out within the framework of activities of an establishment”, in particular concerning Google and Facebook, but under the old European directive n° 95/46.

Google has also developed additional arguments:

(i) Non bis in idem: Google claimed that the new penalty procedure violated the non bis in idem principle since Google had already been the subject of a penalty procedure regarding its cookie practices in 2020. The commission restricted rejected this argument on the grounds that the object of the two procedures was different: the 2020 procedure concerned the information delivered to the persons concerned, while the 2021 procedure concerned the means of refusing cookies.

(ii) Referral of a preliminary question to the CJEU: Google asked the Restricted Committee to refer a preliminary question to the CJEU concerning compliance not to offer a “reject all” button next to the “accept all” button in the first layer of cookie notices, where a means of refusing cookies is made available to users in a second layer. The select committee declined to refer the matter, stating that it is not considered a “jurisdiction” for this purpose and therefore has no such power.

iii) Suspension of the procedure: Google requested the suspension of the CNIL procedure to await the decision of the Council of State on the appeal against the previous case, but the restricted formation refused on the grounds that this was not authorized by law.

(iv) Joint control: A discussion also took place regarding the joint control of Google LLC and Google Ireland Limited. Google argued that only Google Ireland Limited was the relevant controller in relation to the placement of cookies, while the select committee held that the two entities were co-controllers and therefore jointly liable.

These two decisions show that compliance with the regulations on cookies remains a very important subject of application for the CNIL, which can lead to substantial fines and mandatory injunctions to modify the practices of the controlled entities. This trend should continue in 2022, because cookies could well appear for the third consecutive year in the top 3 priorities of investigation of the CNIL.

Comments are closed.