Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines Google €150M for inadequately facilitating refusal of cookies

The French data protection authority ('CNIL') published, on 6 January 2022, decision No. SAN-2021-023, as issued on 31 December 2021, in which it fined Google LLC and Google Ireland Limited €90 million and €60 million respectively for failing to make it as easy to reject consent to the use of cookies as it is to accept the same on google.fr and youtube.com, in violation of Article 82 of Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties ('the Act'), following an online audit conducted by CNIL as part of its wider ongoing enforcement campaign of its guidelines and recommendations on cookies.

Background to the case

CNIL outlined that following an online check carried out on the google.fr and youtube.com websites on 1 June 2021, it made various observations regarding the cookie banners, privacy policies, and terms of services of the websites in question, which it sent on to Google in the form of a report requesting further information on each of the cookies mentioned in the said report, their purposes, and the number of daily unique visitors to each website over the last twelve months from France. CNIL further outlined that Google responded to that request on 9 July 2021, putting forward that the provision of its response was without prejudice to its rights under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in particular the one-stop-shop mechanism, and the Irish Data Protection Commission's ('DPC') role as lead supervisroy authority in investigations.

In addition, CNIL noted that following its subsequent notification of its intention to fine Google for violations identified in the aforementioned online check, Google had put forth a number of arguments in its defence, notbaly arguing that CNIL's previous fine against Google for cookie violations, issued on 7 December 2020, is still pending in the Conseil d'Etat, and that this decision should therefore be suspended, whilst also alleging a breach of the principle of non bis in idem (i.e. that CNIL cannot rule on the same facts as those addressed in its previous enforcement actions against Google). CNIL rejected both of the arguments put forward by Google regarding suspension and admissibility of the decision, firstly highlighting that the pending nature of the Conseil d'Etat's decision does not affect the President of CNIL's competence to initiate a sanctioning procedure, and secondly that the facts of the present case are not identical to those of the previous decision. In particular, CNIL noted that the the previous decision related to information of users on the purposes of cookies subject to consent and on the means of refusing cookies, whereas the present case relates to the modalities of refusing consent itself, as opposed to information related to the same.

With respect to Google's assertion that the DPC should be considered the lead supervisory authority and as such that CNIL is not competent to rule on this matter, CNIL outlined, among other things, that insofar as the case concerns specific rules relating to the use of cookies, the rules of the ePrivacy Directive prevail as lex specialis over the GDPR, and, as such, the one-stop-shop rule under the GDPR cannot be applied to the present case.

Findings of CNIL

In particular, CNIL observed that the banner displayed on the google.fr and youtube.com sites contain a button allowing immediate acceptance of cookies, but that no similar means are offered to the user to be able to as easily refuse the deposit of such cookies. CNIL additionally observed that to refuse cookies, users must perform at least five actions (firstly click on the 'customise' button, then click on each of the three buttons to select 'disabled' - each button corresponding to 'personalization of the search', 'YouTube history', and 'ad personalisation', and finally a click on 'confirm'), rather than single action to accept them. Emphasising the principle established under its cookies recommendations and guidelines, that data controllers must offer users both the possibility of accepting and refusing cookies and other trackers with the same degree of simplicity, CNIL held that such refusal mechanism does not offer the same degree of ease as the mechanism to express consent, therefore disregarding the rules regarding freedom of consent. CNIL therefore considered that making the mechanism for refusing cookies more complex than the mechanism for accepting them in fact amounts to discouraging users from refusing cookies and encouraging them to favour the "I accept" button. Thus, CNIL found that the methods of refusing cookies implemented by Google violate the requirements of Article 82 of the Act.

In terms of responsibility for the identified unlawful processing in question, CNIL identified Google Ireland Limited, which Google itself identified as the relevant data controller, and Google LLC, whose controllership Google disputed, as joint controllers, notably citing, among other things, Google's own assertion that Google LLC 'designs and builds the technology of Google products and that with regard to cookies deposited and read when using the search engine Google Search, there is no difference in technology between the cookies deposited from the different versions of the search engine' to come to the conclusion that Google LLC determines the means of processing and plays a fundamental role in the entire decision-making process relating to the processing in question.

Outcomes

In view of the above, and taking into account the respective responsibilities of the two entities and their financial situations, CNIL decided to impose a fine of €90 million on Google LLC and a fine of €60 million on Google Ireland Limited. In addition to the lump sum financial penalties, CNIL also ordered Google to bring their operations into compliance with the identified violated rules within three months, also providing that additional fines of €100,000 per day would be imposed for non-compliance following the end of such period. 

You can read the press release here and the decision here, both only available in French.

Update: August, 3, 2023

CNIL confirms Google's fulfillment of compliance order on use of cookies

On August 1, 2023, CNIL published its decision No. SAN-2023-012, as issued on July 13, 2023, in which it closed the injunction issued against Google LLC and Google Ireland Limited for compliance with Decision No. SAN-2021-023 as issued on December 31, 2021 (Decision of December 31, 2021). 

Background to the decision

In particular, CNIL highlighted that, in the Decision of December 31, 2021, in addition to imposing the aforementioned fines totaling €150 million, CNIL also ordered Google to facilitate the refusal of cookies on the websites google.fr and youtube.com.

Findings of CNIL

Further to the above, CNIL noted that Google responded to the order on April 4, 2022, outlining that it had made technical changes. Specifically, Google installed a cookie refusal button labeled 'Only allow essential cookies' near the cookie acceptance button.

Outcomes

In view of the above, CNIL considered that the behavior of Google fulfilled the order issued under the Decision of December 31, 2021, and confirmed that the penalty payment of an additional €100,000 per day following the violation does not need to be paid.

You can read the press release here and the decision, only available in French, here.