January 7, 2022
The EU data protection regulators, in this case the French supervisory authority CNIL, have, once again, locked horns with their favourite opponents, Google and Facebook, fining them a combined total of 210 million Euros. And this time it’s all about cookies – those tiny little bits of code that lodge themselves on your computer to track and analyse your online activity.
After more than a decade of clicking “Accept” on cookie banners, we all know that you need consent for cookies, so how have Google and Facebook managed to get this wrong?
The guidance issued by CNIL in France (similar to the UK ICO’s guidance) says that, for an organisation to demonstrate it has obtained consent to set cookies:
“There should be options to accept and refuse all cookies in just one click, e.g. “Accept All” and “Reject All” buttons presented at the same level, with equal prominence to their presentation.”
Google and Facebook have fallen foul of this rule by offering “Accept all” and “Manage Cookies” (the “Manage” option taking you through to more complex set of other options) rather than a simple “Reject” option.
This may, just possibly, be one of those rare occasions where you might feel a teeny tiny glimmer of sympathy towards the tech giants…
The rule in question is part of the French guidance on interpretation of the Privacy and Electronic Communications Regulations 2003 (PECR) and General Data Protection Regulation (GDPR), rather than being written into PECR or the GDPR directly. This guidance only came into force in July 2021. To be fair to CNIL, they had been consulting and informing businesses about their intention to publish this guidance well before July, but it is still a relatively recent and specific requirement.
Facebook and Google might also have been forgiven for thinking that their approach would be considered acceptable because so many other organisations have taken the same approach (*cough* Microsoft, LinkedIn, Instagram… Twitter’s cookie banner doesn’t even have an Accept option, just a “Close” option. Does this mean that their cookies are set automatically?! We hope not!)
Struggling to interpret the rules on cookies is nothing new. Back in 2011, the UK’s initial position (as set out in a letter from the UK Government Department for Culture, Media and Sport, aka the DCMS) on the then new amendment to PECR stated that “there is no indication … as to when that consent may be given, and so it is possible that consent may be given after or during processing”. (Note to the British public: never allow the DCMS to be put in charge of sexual offences...)
Back then, there was also some discussion around whether consent could be implied. The UK ICO and DCMS being of the view that maybe, as users became more familiar with cookies, implied consent would be sufficient. Then the GDPR came along in 2018 and made it quite clear that implied consent is definitely not sufficient. Consent, said the GDPR, is only valid when the person giving their consent has done: “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement”.
But as with so many aspects of the GDPR, what constitutes “consent” (and when it is required in the context of cookies) hasn’t always been obvious. And it doesn't help that the guidance of different supervisory authorities is not consistent – especially because websites are available across multiple jurisdictions.
The message to websites and online service providers is clear: in France at least, there MUST be an equally prominent “Reject Cookies” option as there is an “Accept” option. Given that the UK regulator, the ICO, has similar guidance, our recommendation is to follow the same approach.
It will be interesting to see whether other large tech corporations will amend their consent settings following CNIL’s fine or continue with the “let them eat cookies!” attitude.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.