Excerpt
SOCIETE DU FIGARO was held responsible for allowing partners to deposit cookies on user terminals for advertising purposes without obtaining their consent or action. The company failed to provide users with effective means to refuse the deposit of cookies for advertising purposes, despite expressing their desire to do so.
Our analysis
The French DPA (CNIL) received a complaint in August 2018 regarding the installation of cookies on users' devices without their consent and prior to any action on the Société du Figaro's website. After conducting five online inspections between January 2020 and June 2021, the DPA found that the website violated the applicable laws by using deceptive patterns and forced actions on its users. The DPA found that cookies were installed on users' devices as soon as they arrived on the website, even if they had expressed a refusal to accept cookies while navigating to another page of the website. Additionally, the website failed to ensure that its partners did not emit cookies that violated the applicable regulations, and did not take the necessary steps to put an end to the breach observed. Therefore, the DPA held the website accountable for breaching its obligations regarding consent and information about cookies on its website, violating article 82 of the French data protection law.
Outcome
The CNIL Restricted Committee has determined the outcome of the case and has decided to impose an administrative fine of 50,000 euros on SOCIETE DU FIGARO for violating article 82 of the Data Protection Act. Additionally, the committee has ruled that its deliberation will be made public on both the CNIL website and the Légifrance website. However, the committee will no longer identify the companies involved in the case by name after a period of two years from its publication.
Parties
National Commission for Computing and Liberties (CNIL) v. Société du Figaro
Case number
SAN-2021-013
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.