Just two weeks in and 2022 looks to be a banner year for EU privacy enforcement, at least if France’s Commission nationale de l'informatique et des libertés (CNIL) has anything to say about it. Last week the CNIL, France’s data protection authority, fined American tech giants Google and Facebook a combined 210 million euros (that’s $240M USD) for cookie violations of the ePrivacy Directive.
No ‘Reject All’ Button
The CNIL’s allegations claim that Facebook, Google, and Youtube’s French websites fail to give visitors the option to easily decline tracking, despite offering them a one-button option to ‘accept all’ cookies.
Under the ePrivacy Directive and the GDPR, refusing all cookies (except those strictly necessary to the function of a website) must be as easy as accepting them. The best practice is to provide an <Accept All> alongside a <Refuse All> button in a prominently displayed cookie banner that the user will see when they first encounter the website.
According to the CNIL’s statement, the websites in question “offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies.” In order to deny cookies, users must make several clicks through a submenu.
The CNIL determined that this constitutes an infringement of Article 82 of the French Data Protection Act.
For their violations, Google's U.S. and Irish operations were hit with penalties of up to 90 and 60 million euros, and Facebook Ireland could pay up to 60 million euros. Additionally, if the issue is not corrected within three months, each company will incur daily penalties of 100,000 euros.
Fines Signal Increased GDPR Enforcement
The penalties come following increased GDPR enforcement from the CNIL and other European data protection authorities and could signal increased pressure in the year ahead.
In 2021, the CNIL issued upwards of 40 corrective actions. Other nations’ DPA’s have also increased enforcement. In July 2021, Luxembourg’s DPA levied a record 746 million-euro ($887M) penalty against Amazon, and in September, Ireland’s Data Protection Commission (DPC) followed suit with a 225 million-euro ($267M) fine against Facebook-owned WhatsApp for violating the rules of the GDPR.
For Google, these new fines come just two years after the CNIL fined Google and Amazon a combined 135 million euros in December 2020 for violation of ePrivacy consent requirements for the placement of cookies.
On the whole, enforcement actions are trending up—way up. Fines increased 40% in 2020 over the previous 20 months and quadrupled 2020’s total in 2021. And, if European DPA’s want to continue issuing fines at this pace, they shouldn’t have trouble doing so--a recent survey of EU businesses’ cookie consent forms found that 81% were missing “reject all” buttons.
Ensighten Offers True Cookie Compliance and Enforcement
Ensighten Consent Management solution can help you build a fully compliant website and simplify compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.
With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
And unlike most consent management platforms, Ensighten CMP+ has actual enforcement capabilities, on the client-side, without requiring integrations with third parties. So user preferences are applied instantaneously, and no cookies or tracking measures can be fired before consent is given.
You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.