Cookies: FACEBOOK IRELAND LIMITED fined 60 million euros

06 janvier 2022

On December 31, 2021, the restricted committee of the CNIL fined the company FACEBOOK IRELAND LIMITED 60 million euros because the users of the social network residing in France can't refuse cookies as easily as to accept them.

Failure to comply with the French Data Protection Act

The CNIL has received many complaints reporting the way they can refuse cookies on the website

In April 2021, the CNIL conducted an online investigation on this website and found that, while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily. Several clicks are required to refuse all cookies, as opposed to a single one to accept them. The CNIL also noted that the button allowing the user to refuse cookies is located at the bottom of the second window and is entitled "Accept cookies".

The restricted committee, the CNIL body responsible for issuing sanctions, noted that making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to opt for the ease of the consent button for cookies in the first window. It considered that such a process affects the freedom of consent of Internet users.

The restricted committee also considered that the information given by the company is not clear since, in order to refuse the deposit of cookies, Internet users must click on a button entitled "Accept cookies", displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it.

The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act.

The sanctions

The restricted committee fined FACEBOOK IRELAND LIMITED 60 million euros and made it public.

It justified this amount by the scope of the processing, the number of data subjects concerned and the considerable profits the company makes from advertising revenues indirectly generated from the data collected by the cookies.

In addition to the administrative fine, the restricted committee also issued an injunction with periodic penalty payment requiring that the company provides Internet users located in France, within three months of the notification of the decision, with a means of refusing cookies that is as simple as the existing means of accepting them, in order to guarantee the freedom of their consent. Otherwise, the company may pay a penalty of 100,000 euros per day of delay.

Jurisdiction of the CNIL

The CNIL is materially competent to verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the "one-stop shop" procedure) is not intended to apply in these procedures insofar as the operations related to the use of cookies fall within the scope of the "ePrivacy" directive, transposed in article 82 of the French Data Protection Act. 

The restricted committee considered that the CNIL is also territorially competent pursuant to Article 3 of the French Data Protection Act because the use of cookies is carried out within the "framework of the activities" of the company FACEBOOK FRANCE, which constitutes the "establishment" of the Facebook group on French territory.

Note: The company FACEBOOK IRELAND LIMITED, whose head office is in Ireland, presents itself as the data controller of the Facebook service in the European region. The company FACEBOOK FRANCE is the establishment in France of the Facebook group.