In January 2022, several decisions by the French data protection regulator (“CNIL”) were published regarding the implementation of French cookie requirements, sending out a strong signal to website operators targeting French users. On 6 January 2022, the CNIL issued fines totalling 150 million euros and 60 million euros, to Google and Facebook respectively, for violations of the cookie laws in France. Both fines related to the method by which, and the lack of ease in which, users can reject the use of cookies, specifically on the following websites: google.fr, youtube.com and facebook.com. Some might see this as a controversial move by the CNIL, given that the method for opposing cookies has not strictly been written into law.

Then, on 28 January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine imposed by the CNIL on Google on March 2020, also on the topic of cookie rules. The Council of State confirmed the fine, highlighting the fact that seven cookies were automatically dropped on the users’ terminal, four of which were used for advertising purposes, whereas users were not directly and explicitly informed of either the purposes of these cookies, or how to opt-out of the use of cookies.

What are the cookie laws?

Article 82 of the French Data Protection Law (“Loi Informatique et Libertés”) implements into French law article 5(3) of the EU’s ePrivacy Directive and states, in a very broad manner, that the operator of a website must inform website users, in a clear and comprehensive manner:

  1. the purposes for which each cookie (or similar technology) is used; and
  2. the means available to refuse them.

Only after being provided with this information can the website user consent to the use of cookies. In any case, such consent must meet the standard set out in the General Data Protection Regulation; it must be freely given, specific, informed, and an unambiguous indication of the user’s wishes.

Where does the method for refusing cookies fit into this?

Despite each company putting forward very similar arguments that the method by which cookies must be refused is not, strictly speaking, set out in law (only in guidance and recommendations issued by the CNIL and guidance issued by the European Data Protection board), the CNIL ruled that the method for refusing cookies needs to have the same degree of simplicity as accepting cookies. The justification for the CNIL’s decisions is derived from the GDPR’s definition of what constitutes valid consent. Such consent needs to be freely given. In the CNIL’s view, making it more difficult to refuse cookies than to accept them is not providing the user with true freedom of choice.

In Google’s case, the user only needed one click to accept cookies, but five clicks to reject them. In Facebook’s case, the user only needed one click to accept the cookies but three actions (a click, scroll and a further click) to refuse them.

Rationale for the fines

The size of the fines appear to be based on the restrictive committee’s (the committee within the CNIL that issues sanctions) estimate of what each company has financially gained in advertising revenue from those users that might have otherwise rejected cookies (if rejecting was as easy as accepting). Similarly, as to the proportionality of the penalty issued by the Council of State on 28 January 2022, the Council of State considered that the CNIL had taken into account the large market share held by Google, as well as the number of users in France and the size of its profits.

Outcomes of these decisions

Decisions rendered on the basis of Article 82 of the French Data Protection Act (i.e. that the refusal mechanism should not be more complex than the acceptance one) directly derives from the CNIL’s latest guidelines and recommendations. These decisions therefore constitute strong examples of the real enforceability of the most recent CNIL recommendations and guidelines. This sends a clear signal to data controllers as to the need to comply with such guidelines and recommendations, not only in the field of cookies, but also regarding other data protection requirements.

Moreover, although the CNIL’s decisions are only binding in France, these decisions should worry any website operators who have adopted similar cookie banner mechanisms to Facebook and Google in other European countries. For example, the guidance issued in the UK by the ICO closely follows the reasoning set out by the CNIL and describes ‘nudge behaviour’ (i.e. influencing the user to take one particular action over another) as being non-compliant, although we are unaware of any enforcement action having been taken on this point.

What can be expected in 2022?

From a French perspective, it should be noted that these decisions were reached in the context of a global compliance strategy regarding cookies, initiated by the CNIL more than two years ago. This strategy saw the CNIL adopt guidelines and implement a specific tool (“Cookie Viz”) to help controllers comply with the cookie rules. Since April 2021, the French regulator has adopted nearly 100 corrective measures to controllers related to non-compliance with cookie requirements.

Long-term, we may see a multiplication of the sanctions issued by the CNIL in France, notably in the field of cookies. This will likely increase the number of legal proceedings on this matter, especially since more and more controllers tend to challenge the CNIL decisions before the Council of State. In this context, cookie compliance needs to be viewed as an important topic to be closely assessed and monitored.

The CNIL’s decisions regarding Google and Facebook can be found here and here (only in French). The Council of State decision can be found here (only in French).