Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

French data protection agency issues privacy fines over cookies

Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons Consumer Protection France Enforcement

Privacy, Cyber Risk & Data Security

On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.