The never-ending story of the installation of “cookies”

The French Data Protection Commission (CNIL) fined Facebook (now Meta Platforms, Inc.) €60 million and Google €150 million for not being as easier to refuse cookies on their websites than to accept them. Below is more information on the background to these decisions. Additionally, if you skip to the end of our blog post, you’ll find out what these decisions mean for your business and how your cookie selection process is configured.

Fine against Google

After receiving several complaints about the procedures for refusing cookies on the “google.fr” and “youtube.com” sites, the CNIL opened an investigation. The CNIL has found that while websites offer the possibility of immediately clicking on a button that authorizes all cookies, websites do not offer the same possibility of refusing all cookies. Instead, to disable all cookies, the user must click multiple times. The CNIL found that by implementing a more complex solution to refuse all cookies, the site operator effectively discourages users from disabling cookies and favors the “accept all” button offered by websites. The CNIL found this to be a violation of a provision of French data protection law that requires consent for any activity by which an electronic communications service accesses or enters information into the device. of a user.

In accordance with the Data Protection Act and the General Data Protection Regulations (GDPR), in order to freely consent to any processing activity, users must be clearly and fully informed of the purpose of a data processing activity and the means to object to it. The GDPR makes this clear in its recitals by specifying that consent cannot be given freely if the user is unable to refuse or withdraw consent without suffering prejudice. The CNIL considered in its decision that the process of refusing cookies by selecting a button to manage cookie settings, which takes users to another window where the user can customize cookie settings or choose a button to accept all cookies, discouraged users too much. be considered free consent. The more complex the process to refuse all cookies, the more likely it is, in the opinion of the CNIL, that consent cannot be given freely. In this regard, the CNIL has recommended in its 2020 guidelines on cookies and other tracers and the recommendations that accompany them that website operators plan to accept and refuse cookies with the same level of simplicity.

Based on the assessment described above, mainly because users of google.fr and youtube.com could not refuse cookies as easily as they could accept them, the CNIL sentenced Google LLC to 90 million euros. euros and Google Ireland Ltd to 60 million euros on December 31, 2021. (see press release of January 6, 2022).

Fine against Facebook

Similarly, as in the decision against Google, the CNIL began to actively investigate Facebook’s setting of cookies in April 2021 following several complaints about how cookies could be refused on the “facebook” site. com”.

The context of the Facebook case was similar to that of Google. Facebook provided a pop-up on its website with a button to “accept all cookies” and a button to “manage data settings”, but no button to reject all cookies. This meant that to refuse cookies the user had to go to a second window where the user again had the option to accept all cookies and where the user had to customize the cookie settings with slides. Although the two sliders for personalized ads were disabled by default, the CNIL found that the process for refusing cookies was not simple enough. As the cookie refusal process needed to access two different windowsthe CNIL found that it could be too confusing for users to freely consent to the use of cookiesthus violating the aforementioned provision of the Data Protection Act and the consent requirements provided for by the GDPR.

Thus, on December 31, 2021, the CNIL imposed a fine of 60 million euros on Facebook Ireland Ltd for the violation of the same provisions as in the Google case (see press release of January 6, 2022).

How will the decision impact your business?

In short, companies must implement a cookie selection process that allows users to choose from “accept all cookies”, “refuse all cookies” and, if applicable, “personalize cookies” on the first pop-up window or cookie banner. Any process that is more cumbersome for users to reject cookies than to accept cookies will, in the opinion of the French Data Protection Authority, hinder the possibility of freely consenting. Furthermore, these decisions also underline that the CNIL is prepared to pursue the application of its recommendations by opening investigations and, in the event of non-compliance, by ordering very substantial sanctions.


Source link

Comments are closed.