Privacy & Information Security Law Blog

On December 31, 2021, the French Data Protection Authority (the “CNIL”) imposed a €150,000,000 fine on Google and a €60,000,000 fine on Facebook (now Meta) for violations of French rules on the use of cookies.

Background

On October 1, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on acceptable methods for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”), and a set of FAQs regarding the Recommendations. The CNIL provided a six-month transition period for businesses to comply with the Guidelines (i.e., until March 31, 2021), and has been focused on enforcing its Guidelines and Recommendations.

CNIL’s Decisions and Sanctions

After receiving several complaints from users, the CNIL investigated the cookie practices of facebook.com, google.fr, and youtube.com. The CNIL’s investigations concluded that the websites offered an easy way to consent to the use of cookies immediately after accessing the websites, but did not provide an equally easy way to refuse the use of cookies. Users had to select multiple options to refuse cookies, but only one option to provide consent to the use of all cookies. The CNIL also concluded that Facebook provided unclear and confusing instructions to users on how to refuse cookies.

According to the CNIL, the companies’ cookie notices and consent practices affect the freedom of the website users’ consent, as it influences users’ choice in favor of consent.

CNIL’s Jurisdiction

The CNIL asserted that it drew its authority to investigate the companies’ cookie practices under the e-Privacy Directive, which is transposed into national law by each EU Member State (i.e., in Article 82 of the French Data Protection Act). Accordingly, the CNIL asserted that the cooperation and so-called “one-stop-shop” mechanisms set forth in the EU General Data Protection Regulation (“GDPR”) did not apply, and that the CNIL had the power to enforce the French Data Protection Act and its related cookie Guidelines and Recommendations irrespective of the location of the companies’ main establishment under the GDPR.

With respect to Facebook, the CNIL also asserted its authority under Article 3 of the French Data Protection Act, as the use of cookies is carried out by Facebook France, the French establishment of Facebook’s main controller, Facebook Ireland Limited. The CNIL also asserted that it had the authority to investigate Google because the use of cookies is carried out within the context of the activities of Google France (i.e., the French establishment of Google LLC and Google Ireland Limited).

In response, Facebook argued that the allegedly infringed cookie consent rule stems from the CNIL’s Guidelines and Recommendations and is not specifically mentioned in the e-Privacy Directive. Instead, Facebook argued the cookie consent rule relates to the application of the GDPR’s consent requirements, and the GDPR’s one-stop-shop mechanism therefore should apply. In practice, this would have resulted in the CNIL having no authority to sanction Facebook, as Facebook’s main establishment is located in Ireland. As mentioned above, the CNIL rejected Facebook’s argument and responded that its rules on cookies (and its related Guidelines and Recommendations) stem from the e-Privacy Directive, which is implemented at the national level and does not provide for a one-stop-shop mechanism. Additionally, the CNIL highlighted that the rules of the e-Privacy Directive prevail as lex specialis over the GDPR (i.e., where two laws govern the same factual situation, a law governing a specific subject matter overrides a law governing only general matters). According to the CNIL, the fact that the GDPR consent requirements must be applied when collecting consent in the context of the e-Privacy Directive does not result in the application of the GDPR and its one-stop-shop mechanism in these cases.

Sanctions

The CNIL held that the companies’ respective cookie practices infringe Article 82 of the French Data Protection Act governing the use of cookies. As a result of these alleged infringements, the CNIL imposed a total of €150,000,000 in sanctions against Google  (€90,000,000 against Google LLC and €60,000,000 against Google Ireland Limited), and €60,000,000 against Facebook.

According to the CNIL, these amounts are justified by the scope of the processing, the number of data subjects concerned, and the profits the respective companies gain from advertising revenues indirectly generated by their use of cookies.

In addition to the fines, the CNIL’s restricted committee ordered Facebook and Google to, within three months of the decision, provide French users with a method to refuse cookies that is as easy as the method to consent to cookies. Failure to do so will result in daily penalties of €100,000.

Read the CNIL’s press release and the decision (in French ) in the Facebook case. Read the Facebook decision in English.

Read the CNIL’s press release and the decision (in French ) in the Google case. Read the Google decision in English.

Read the CNIL’s press release on the two fines in English.