France fines software company €60 million for data violations

Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons France Enforcement Consumer Protection Cookies

In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on investigations conducted in September 2020 and May 2021, CNIL claims that when users visited the search engine, cookies used for advertising purposes and countering advertising fraud, among other things, were automatically deposited on their terminal without the users’ consent. Under French law, these types of cookies may only be deposited after users have expressed their consent, according to CNIL. CNIL further observed that while the search engine offered a button to accept cookies immediately, it did not offer an equivalent button to allow the user to refuse the cookies as easily. By making the refusal mechanism more complex, users are discouraged from refusing cookies and are instead encouraged “to prefer the ease of the consent button in the first window,” CNIL said, adding that “such a procedure infringed the freedom of consent of Internet users.” Claiming violations of Article 82 of the French Data Protection Act, CNIL ordered the company to take measures within three months to modify its practices for obtaining consent from users residing in France. CNIL further stated that additional fines of €60,000 will be imposed per day of non-compliance following the end of the three-month period.