Chalk another one up for decentralized enforcement: France’s data protection watchdog has slapped headline-grabbing fines on Facebook and Google for failing to respect local (and pan-EU) cookie consent rules.
Today, the CNIL said it’s fined Google €150M (~$170M) and Facebook €60M (~$68M) for breaching French law, following investigations of how they present tracking choices to users of google.fr, youtube.com and facebook.com.
The regulator said it was acting after receiving a number of complaints.
In a clear breach of EU and French law, it found the pair do not offer an option for users to reject non-essential cookies as easily as the option they offer for them to accept all tracking.
So, in short, the tech giants were using manipulative dark patterns to try to force consent.
Here’s an illustrative snippet from the CNIL’s press release:
” … the information given by the company is not clear since, in order to refuse the deposit of cookies, Internet users must click on a button entitled “Accept cookies”, displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it.
The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act.”
Under EU law, if consent is the legal basis being claimed for processing people’s data there are strict standards that must be adhered to — consent must be informed, specific and freely given in order for it to be obtained legally.