The French data protection authority (CNIL) recently fined Google and Facebook with high fines for failing to obtain cookie consent in compliance with French data protection law. Both companies did not ensure that refusing cookies is as simple as accepting them. In this article we will show you what this means for your company.
High fines for insufficient cookie consent
CNIL issued a combined fine of EUR 150 million against two Google subsidiaries and a EUR 60 million fine against Facebook. CNIL based its decisions on the fact that users are not able to reject cookies on some of Googles’ and Facebooks’ websites as easily as they can accept them.
Based on this, CNIL argued that Google and Facebook violated Article 82 of the French Data protection Act, which implements Art. 5 (3) of the ePrivacy Directive into French national law. Hence, similar provisions exist in all EU countries. Art 5 (3) stipulates that cookies or similar technologies may only be used with prior consent of the data subject.
Google and Facebook now have to adjust their websites in order to comply with French law within three months. For each day of delay they will have to pay EUR 100,000.
Importance of obtaining cookie consent in compliance with data protection law
Art. 5 (3) ePrivacy Directive stipulates that cookies or similar technologies may only be used with prior consent of the data subject. Exceptions exist only for cookies that are strictly necessary for the operation of the respective website, e.g. session cookies. For all other cookies, like advertising cookies or analysis cookies, website operators must obtain the informed consent of the users.
For consent to be valid, it has to be obtained before you collect any data through cookies and in compliance with the standard set out in Art. 4 (11) GDPR. Hence, it must be “freely given, specific and informed”. Therefore, information on the tracked data and the purposes of the tracking has to be provided in an easily understandable way. Moreover, as the CNIL fines showed again, it must be possible to reject and withdraw cookie as easily as accepting them.
More detailed information on how cookie consent can be validly obtained and how respective cookie banners should be designed can be found here.