Google, Facebook fined €210 million for making it difficult for users to reject cookies

The Google logo displayed on a smartphone in front of a French flag

Google and Facebook have been hit with a combined fine of €210 million (£175 million) over failures in policies that allow users to accept and refuse cookies on their websites.

France's National Commission for Information Technology and Civil Liberties regulator (CNIL) fined Google €150 million euros, €90 million for Google LLC and €60 million for Google Ireland Limited, while Facebook Ireland Limited was given a fine of €60 million.

CNIL said that the websites facebook.com, google.fr, and youtube.com have all failed to provide an easy way for users to reject cookie collection on their browsers, and that several clicks are required to refuse all cookies, compared with a single click to provide consent.

The regulator argued the fact users are unable to refuse cookies as easily as they can accept them influences their choice in favour of consent, constituting an infringement of Article 82 of the French Data Protection Act.

Isabelle Falque-Pierrotin, head of France's National Commission for Information Technology and Civil Liberties (CNIL), at CNIL's headquarters in Paris

Isabelle Falque-Pierrotin, head of France's National Commission for Information Technology and Civil Liberties (CNIL), speaking at CNIL's headquarters in Paris

The penalties also order the companies to provide internet users in France with a means of refusing cookies that is at least as simple as the existing mechanism for accepting them, within a three month period. If they fail to do so, the companies will have to pay a penalty of €100,000 per day of delay.

"We are reviewing the authority's decision and remain committed to working with relevant authorities,” a spokesperson from Meta told IT Pro. “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

A Google spokesperson said: “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive."

RELATED RESOURCE

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

FREE DOWNLOAD

This isn’t the first time that CNIL has targeted big tech companies over their use of cookies. In December 2020, Amazon and Google were fined £122 million collectively for “insufficient” cookie consent. Google was hit with a €100 million (£90 million) fine while Amazon received one for €35 million (£32 million).

According to the investigation, Google didn’t provide enough information to users in France about why and how cookies are used, whereas Amazon was fined for placing cookies on people’s computers without their consent.

Google challenged this fine at the Council of State in February 2021, according to Euractiv. Politico reported that Google is still fighting this case, and a source said the company is likely to oppose the new fines and go to the French top court again.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.