The CNIL has sanctioned Google up to 150 million euros and Facebook up to 60 million euros for non compliant cookie banners.
The French data protection agency CNIL says in their statement that sites like Facebook.com, Youtube.com and Google.fr do not allow the user to refuse the use of cookies as simply as it is to accept them. The companies need to make their platforms and sites compliant within three months.
‘Freedom of consent’
The CNIL performed various checks on the websites of these tech companies, focussing on their cookie banners. Both companies have banners in place and offer a button to directly accept cookies but on the other hand there is no button to easily withdraw or refuse the cookies. The user needs to go through several clicks and layers to be able to refuse all cookies.
This method is not in line with the “Freedom of consent”, refusing cookies should be as simple as accepting them. A violation of article 82 of the Data Protection Act and Article 7 of the GDPR:
The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent.
The committee ordered both companies to make a decent freedom of choice available for French users within 3 months. For every day they’re not complying a fine of 100,000 euros will be charged.
We have written an article based on the NOYB guidelines for proper consent settings for CMPs. It includes also the recommendation for adding a Deny button on the first layer of the banner. Read more here.