Google and Facebook fined for cookies practices

 January 10, 2022

The CNIL, France’s data regulator, fined Meta (Facebook) and Google for violating the GDPR for a total of 210M€. More specifically:

• Google LLC (USA) got fined 90M€
• Google Ireland Limited got fined 60M€
• Facebook Ireland Limited got fined 60M€

Also, if the companies will not fix the issue within three months, an additional penalty of 100'000€/day will be added.

There are two facts that I think are very interesting about these fines: the reason behind the fines the fines issuer

The reason for the fines is that, while a button is present to accept all cookies easily, there is no button to refuse all cookies easily. This practice, sadly, is widespread on the web. Providing a way more straightforward path to acceptance than the one to refusal, the website owner expects more people to accept than in the case of similar difficulty. This advantage might be true, but many European regulators have already clarified that this is not compliant with the GDPR. The interesting fact about these fines is that this is the first time a regulator fines well-known companies for this reason. As we have seen since May 2018, the regulators have started fining the most extensive violations and then, over time, have moved to more subtle ones. This fine might be the first of a long list on this specific topic.

Interestingly, the French regulator issued the fine to 2 Irish companies. Usually, the rule has been that the regulator of the nation where the company is located is going to be the one issuing the fines. The CNIL reason behind those fines is that French people are being affected. This fact completely turns the table around. If the legitimacy of CNIL’s standing is proved, the balance of power between the European data regulators might completely change. Since the majority of big companies are located in Ireland, the Irish data regulator (DPC) should be the one issuing the majority of fines. Though, many say that the DPC is not issuing enough fines because Ireland wants to keep good relationships with the companies located in the country. Fines such as this one could change the paradigm to one where any country will be able to fine any company. At that point, it will be apparent if some countries have been more strict than others in the past and, in a way, make it a plain field since the company’s incorporation country will not grant it additional or reduced liabilities.

I hope we will see more fines in line with those fines. Decoupling the company’s incorporation country and the regulator will be critical to make the GDPR effective in protecting the people.