France’s data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), has fined Google and Facebook a combined total of €210 million for violation of cookie rules under the e-Privacy Directive.

On 30 December 2021, the CNIL fined Facebook Ireland Ltd €60 million, a statement on which can be accessed here. The following day it fined Google LLC and Google Ireland Ltd a total of €150 million, a statement on which can be accessed here. Both fines were issued because the websites facebook.com, google.fr, and youtube.com do not allow website users in France to reject cookies as easily as accepting them.

The e-Privacy Directive requires website providers to obtain GDPR standard consent (unambiguous, specific, informed and freely given) from users for the use of any non-essential cookies. Website users should be able to withdraw their consent as easily as giving it in the first place.

In its statements, the CNIL points out that the relevant cookie banners used by Google and Facebook display one button allowing website users to accept all non-essential cookies immediately. However, several clicks are needed to reject non-essential cookies in comparison to the single click to accept, making it more complex and so arguably more difficult to withhold consent. The CNIL views the effect of this added complexity as nudging website users towards accepting cookies as the easier option. As a result, consent may not be freely given and so violates Article 82 of France’s Data Protection Act (which implements the provisions of the e-Privacy Directive into French law).

In addition to the fines, Google and Facebook have been given 3 months to remedy the fault by ensuring website users are able to reject the use of non-essential cookies as easily as accepting them. A daily penalty of €100,000 will apply for failure to comply within the timeframe.

The fines continue the trend of increased regulatory scrutiny on the use of non-essential cookies by websites and on cookie consent mechanisms. However, this is a significant decision and will no doubt concern (and rightly so) any organisation who relies heavily on non-essential cookies as it provides [un]welcome clarity that "reject all" buttons are required in the cookie banner itself.

Up until recently, it has been fairly common for website providers to take the approach adopted by Google and Facebook, offering one button for users to accept all non-essential cookies, and an alternative button allowing users to manage their cookie preferences and so reject non-essential cookies via a few additional clicks. Although ICO (and other EU regulators) guidance has always recommended this approach, the CNIL is very clear that in its view a “reject all” button must be provided alongside an “accept all” button. It will be interesting to see if other regulators who have not yet been as stringent in their approach to cookie consents follow suit.

The other interesting aspect of these decisions is that they reaffirm the CNIL’s view that when it comes to cookie compliance, any failure to obtain valid consent for use of cookies is an e-Privacy issue not a GDPR issue. Therefore, if the use of cookies (or other tracking technologies) is carried out in the context of activities of an organisation’s French establishment, any failure to comply with the consent requirements will, in the CNIL’s view, fall under its jurisdiction and notably it will not be required to follow the one stop shop mechanism laid out in the GDPR.

Organisations (particularly those established in France, bearing in mind that France allows for more significant fines for e-Privacy breaches than many other jurisdictions) who use cookies or other tracking technologies should now be reviewing their current cookie consent mechanisms in light of the decisions, and ensuring website users are given an option to reject all cookies via a single click as well as accepting them.