French privacy regulator slaps Facebook, Google with fines totaling nearly $240M
France’s privacy watchdog fined Google nearly $170 million and Facebook almost $70 million on Thursday for making it harder for users to refuse cookies — which store user information — than to accept them.
The National Commission on Informatics and Liberty, or CNIL, also ordered Google and Facebook to fix that issue within three months or face daily fines of more than $100,000 from the restricted committee, the CNIL body that handles sanctions.
“The restricted committee considered that this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent,” the CNIL wrote.
That puts the two companies in violation of the French Data Protection Act, the commission said. On Facebook, YouTube and Google sites, one click can enable cookies but it takes multiple clicks to refuse them all, the CNIL said.
While cookies are largely a matter of privacy and convenience, criminals can hijack them to spy on users.
Google’s cookie policies has earned millions in CNIL fines before, as well as Amazon. Overall, the agency has issued nearly 100 orders and sanctions since the end of March, “when the deadline set for websites and mobile applications to comply with the new rules on cookies expired.”
A spokesperson for Meta, the parent company of Facebook, said that “We are reviewing the authority’s decision and remain committed to working with relevant authorities.
“Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls,” the spokesperson said.
Google did not immediately respond to a request for comment, but told news outlets that it was working to to make changes in response to the CNIL commandment.
Updated 1/7/22: With Meta’s comment.
