The Commission nationale de l’informatique et des libertés (CNIL), France’s data protection watchdog, has slapped Facebook (now Meta Platforms) and Google with fines of €150 million ($170 million) and €60 million ($68 million) for violating E.U. privacy rules by failing to provide users with an easy option to reject cookie tracking technology.
“The websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies,” the authority said. “However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies.”
Facebook told TechCrunch that it was reviewing the ruling, while Google said it’s working to change its practices in response to the CNIL fines.
HTTP cookies are small pieces of data created while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser to track online activity across the web and store information about the browsing sessions, including logins and details entered in form fields such as names and addresses.
Specifically, the CNIL found fault with the manner in which the two platforms require several clicks to reject all cookies, as opposed to having a single override to refuse all of them, effectively making it harder to reject cookies than to accept them.
In order to refuse cookies, Facebook makes users click a button titled “Accept Cookies”. You have to laugh. pic.twitter.com/5b6cpQ2Usd
— Mark Di Stefano (@MarkDiStef) January 6, 2022
This dark pattern affects the freedom of consent, the data protection agency said, adding the fact that users don’t have a better choice when it comes to rejecting cookies as easily as they can accept them steers their choice in favor of consent.
Along with imposing monetary penalties against Google and Meta, the CNIL has also ordered the tech giants to alter how they currently present cookie choices and provide users in the country with a simple means of refusing cookies within three months, or risk facing further fines of €100,000 per day of delay.
While the fines won’t make much of a dent in either company’s revenues, this is not the first time European authorities have acted to punish Big Tech for contravening E.U. regulations. In December 2020, the regulator levied Google €100 million and Amazon Europe €35 million for having placed advertising cookies on users’ devices without seeking their prior consent.
Then in November 2021, Italy’s competition authority, the Autorità Garante della Concorrenza e del Mercato (AGCM), fined Apple and Google €10 million each for not providing clear and immediate information on the acquisition and use of user data for commercial purposes during the account creation phase.