On the last day of 2021, the French regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), issued fines to Facebook Ireland Limited, Google LLC and Google Ireland Limited for failure to comply with the French Data Protection Act. The decisions, although somewhat controversial, should act as a further prompt for companies to ensure their cookie policies are in order (see here for guidance).
Facebook’s fine related to the difficulty of users refusing cookies on facebook.com: for example, rejecting cookies required clicking through to a page entitled “Accept cookies”. Facebook was deemed to have violated the French Data Protection Act (which implements the ePrivacy Directive). It was fined €60m, and injuncted to make refusing cookies as easy as accepting them, with a penalty of €100,000 per day for non-compliance.
The Google fine was a combined €150m in respect of google.fr and youtube.com. CNIL found it was easier for users to accept all cookies (with one click) than refuse them (requiring several clicks), affecting users’ freedom of consent. The fine was accompanied by a similar injunction to Facebook’s.
What was the justification?
The size of these fines was based on the number of people affected and the “considerable profits… from advertising revenues indirectly generated from the data collected by cookies.” CNIL also noted that it had notified Google in February 2021 of its infringement and referred to its previous communications issuing guidance.
What about the GDPR “one-stop shop”?
CNIL was not deterred from asserting competence by the cooperation and consistency mechanism of the GDPR (the “one-stop shop” where a party’s “lead supervisory authority” – which for both organisations would have been the Irish DPC – has competence for enforcement actions across the EU). Its justification was that its enforcement action was based on the ePrivacy Directive, and hence the GDPR’s one-stop shop did not apply.
However, this argument has not been universally endorsed. The CNIL decisions (here and here) state the companies infringed the French provision implementing Article 5(3) of ePrivacy Directive (whereby consent is the only lawful basis in respect of cookies), but also note that the ePrivacy Directive refers out to the GDPR for its definition of consent. As such, some commentators have suggested action should have been brought in Ireland under the GDPR’s one-stop shop – as the companies themselves argued. Other commentary expresses concerns about fragmentation within the EU.
That said, the one-stop shop has itself been criticised (by, among others, the EDPS Wojciech Wiewiórowski in a 2021 panel discussion). Also, the CJEU confirmed in 2021 (in another cookie case involving Facebook, cited in the CNIL decisions) that in certain circumstances the GDPR does permit any EU national data protection authority – not just the supervisory authority – to pursue a privacy action with respect to cross-border data processing where “the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State”, or where there is an urgent need to act.
Cookies creeping up the enforcement agenda?
CNIL have been especially active recently in their cookie enforcement. These sanction follows previous cookie fines it issued to Google, including for €135m in December 2020 (see our Lens post). However, there are reasons to believe other regulators may begin to follow its lead. As cited in the CNIL decisions, the Spanish authority has also issued several cookie-related sanctions exclusively grounded in their provisions implementing the ePrivacy Directive (and therefore outside the GDPR one-stop shop). The EDPB established a cookie banner “taskforce” in September 2021, partly in response to noyb’s cookie project. This privacy campaign group (chaired by Max Schrems) is actively contacting organisations and filing complaints with regulators in a campaign to increase cookie compliance.
Meanwhile, the Italian regulator Garante issued updated guidance on cookies and other tracking tools, which it deemed necessary in light of trends including: (i) incorrect implementation of rules; (ii) numerous complaints being received; (iii) the “ever-increasing spread of new technologies featuring a growing level of pervasiveness”; and (iv) the “multiplication” of users’ online identities, where “cross-checking” could enable the creation of “increasingly specific and detailed profiles.”
So what for UK organisations?
Although CNIL justified these large fines due to the reach and advertising revenue of Facebook and Google, other website operators – especially those with activities in France – should take note.
In the UK, internet users (like those in the EU) will recognise that accepting all cookies on a website is often easier than refusing them. While the law in both the EU and UK does not expressly cover this point, regulator guidance does. The UK’s cookie guidance states that emphasising the ‘agree’ or ‘allow’ cookie options over the ‘reject’ or ‘block’ cookie options “represents a non-compliant approach”, as the online service is influencing users towards the ‘accept’ option.
That said, while the ICO (which regulates the UK’s ePrivacy regime as well as the UK GDPR) is no doubt monitoring these actions in the same way that it does all developments, there is no sign that it is going to follow a similar approach to enforcement.
Even if the ICO's approach to cookie enforcement were to change, at present its fining options under the UK’s ePrivacy regime (PECR), are more limited than in France. UK PECR fines are capped at £500,000, whereas the French Data Protection Act (which covers both the ePrivacy Directive and the GDPR) permits maximum fines of 2% of global annual turnover or EUR 10m. However, in the UK there is in certain cases the possibility of action under the GDPR instead, which would bring higher fines into play. In any event, the level of fines under PECR is under review as part of the government’s general review of data laws – see our blog for more information.