What are the cookie laws?
Article 82 of the French Data Protection Law (“Loi Informatique et Libertés”) implements into French law article 5(3) of the EU’s ePrivacy Directive and states, in a very broad manner, that the operator of a website must inform website users, in a clear and comprehensive manner:
- the purposes for which each cookie (or similar technology) is used; and
- the means available to refuse them.
Where does the method for refusing cookies fit into this?
In Google’s case, the user only needed one click to accept cookies, but five clicks to reject them. In Facebook’s case, the user only needed one click to accept the cookies but three actions (a click, scroll and a further click) to refuse them.
Rationale for the fines
The size of the fines appear to be based on the restrictive committee’s (the committee within the CNIL that issues sanctions) estimate of what each company has financially gained in advertising revenue from those users that might have otherwise rejected cookies (if rejecting was as easy as accepting). Similarly, as to the proportionality of the penalty issued by the Council of State on 28 January 2022, the Council of State considered that the CNIL had taken into account the large market share held by Google, as well as the number of users in France and the size of its profits.
Outcomes of these decisions
Decisions rendered on the basis of Article 82 of the French Data Protection Act (i.e. that the refusal mechanism should not be more complex than the acceptance one) directly derives from the CNIL’s latest guidelines and recommendations. These decisions therefore constitute strong examples of the real enforceability of the most recent CNIL recommendations and guidelines. This sends a clear signal to data controllers as to the need to comply with such guidelines and recommendations, not only in the field of cookies, but also regarding other data protection requirements.
Moreover, although the CNIL’s decisions are only binding in France, these decisions should worry any website operators who have adopted similar cookie banner mechanisms to Facebook and Google in other European countries. For example, the guidance issued in the UK by the ICO closely follows the reasoning set out by the CNIL and describes ‘nudge behaviour’ (i.e. influencing the user to take one particular action over another) as being non-compliant, although we are unaware of any enforcement action having been taken on this point.
What can be expected in 2022?
From a French perspective, it should be noted that these decisions were reached in the context of a global compliance strategy regarding cookies, initiated by the CNIL more than two years ago. This strategy saw the CNIL adopt guidelines and implement a specific tool (“Cookie Viz”) to help controllers comply with the cookie rules. Since April 2021, the French regulator has adopted nearly 100 corrective measures to controllers related to non-compliance with cookie requirements.
Long-term, we may see a multiplication of the sanctions issued by the CNIL in France, notably in the field of cookies. This will likely increase the number of legal proceedings on this matter, especially since more and more controllers tend to challenge the CNIL decisions before the Council of State. In this context, cookie compliance needs to be viewed as an important topic to be closely assessed and monitored.
The CNIL’s decisions regarding Google and Facebook can be found here and here (only in French). The Council of State decision can be found here (only in French).