French Data Protection Authority (CNIL)-Facebook Ireland Ltd. (12/31/2021)

The CNIL received several complaints regarding the manner in which cookies could be refused on the website of Facebook.com.

The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.

From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.

In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.

The CNIL also pointed to the fact that the authority had already alerted the the company to this breach in February 2021.

In addition to the fine, the CNIL issued an order requiring the companies to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.