If there were any lingering doubts about how seriously Europe takes its users' privacy in 2022, they were put to rest this week. Google & Facebook have been fined a combined €210m (£176m) by the Commission Nationale de l’Informatique et des Libertés (CNIL) in France.
Google was fined the bulk of that amount at €150m while Facebook was handed out a €60m fine for making it cumbersome and difficult for internet users in the country to refuse the use of cookies.
While neither the General Data Protection Regulation (GDPR) nor France's own Data Protection Law outlaw cookies, it requires all businesses using cookies on their site to make it easier for users to opt-out. Additionally, it requires businesses to make it explicitly clear to users what information will be collected with these cookies.
Karin Kiefer, the CNIL's head of data protection and sanctions, stated that one of the primary reasons Facebook & Google faced this penalty was the failure to make the opt-out process just as easy as accepting cookies. It takes one click to accept all cookies, and yet a user may have to go to multiple pages and make several clicks before it can revoke prior given consent to cookies.
In a detailed press release, the CNIL has provided further details of what the fine means for both companies. Following the CNIL's own investigations, facebook.com, google.fr, and youtube.com, did not make opting out as easy as required by law. This imbalance hinders the users' ability to choose freely between accepting or rejecting cookies.
This was judged to be an infringement of Article 82 of the French Data Protection Act, leading to both Facebook & Google being fined.
That's not the end of the bad news for both the organisations as CNIL added that both are required to comply with its orders and reform their cookie policy within a period of 3 months. If unsuccessful, both Facebook & Google will be fined €100,000 for every day of delay after the period of 3 months.
These stringent actions from CNIL come after it mandated all organisations to keep a documented audit trail of all user rejections to cookies for a period of 6 months in 2020. Additionally, it required all businesses to keep a button or link to the preference center on all their web pages, so users can easily change their acceptance of cookies at any stage of their browsing session.
Straying afoul of that last provision is what may have led to such hefty fines for Facebook & Google. It is also being seen as a message for all other businesses operating in France to bring their practices in line or be at risk to receive similar fines.
Avoid Similar Fines With Securiti
While Facebook & Google may have gotten 3 months to remedy their current cookie consent practices, other businesses may not receive such a leeway from CNIL. Moreover, since France has now set a precedent, other regulatory authorities in Europe and globally may exercise their authority in mandating businesses’ responsibility related to cookies as well.
Securiti is a market leader in providing enterprise solutions to cookie consent management thanks to its PrivacyOps framework. Securiti’s artificial intelligence and machine-learning-based tools can help any organisation automate its cookie consent protocols and ensure they remain compliant with every major data protection law globally.
Request a demo today to see Securiti’s tools in action and see first-hand how it can aid your compliance efforts.
