Google, Facebook fined $237 million for cookie breaches and for making it difficult for EU internet users to easily reject online trackers
France’s data privacy watchdog CNIL has fined Alphabet’s Google €150 million ($169 million) and Facebook €60 ($68,000) million for violating EU privacy rules by making it difficult for French internet users to refuse online trackers known as cookies.
According to the information posted on its website, CNIL fined US-based Google and its Irish operations €90 million and €60 million respectively. The watchdog also fined Facebook’s Irish arm €60 million for failing to allow users to easily reject cookie tracking technology.
In a statement, CNIL’s head for data protection and sanctions Karin Kiefer said: “When you accept cookies, it’s done in just one click. Rejecting cookies should be as easy as accepting them.”
The watchdog also said that it had found that the facebook.com, google.fr, and youtube.com websites didn’t allow the refusal of cookies easily, citing Google’s video-streaming platform. The CNIL added that Google and Facebook also face a daily penalty of €100,000 if they do not fix their practices within three months of the CNIL issuing the decision. The two companies could also face an extra penalty payment of 100,000 euros per day of delay.
In a statement, a spokesperson for Facebook’s holding company Meta said, “We are reviewing the authority’s decision and remain committed to working with relevant authorities.” The spokesperson added: “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
“People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision,” a Google spokesperson said.
Meanwhile, this is not the first time Google has been fined for violating EU citizens’ privacy. As we reported in July 2020, The Belgian Data Protection Authority (APD) fined Google €600,000 for failure to comply with European rules on a person’s “right to be forgotten” online.
The fine, which was the highest fine ever imposed by the Belgian authority at the time, came after Google rejected a request from a Belgian citizen to have obsolete and damaging search results removed from the site’s search results. The fine is more than 10 times bigger than the authority’s previous record penalty.
Google failed to remove links from its search results to articles which APD said were “obsolete” and damaging to the reputation of a person with a public profile in Belgium. The news articles, which appeared in results linked to the person’s name, related to unfounded complaints of harassment. Google was “negligent” in deciding not to remove the links, given that the company had evidence that the facts were irrelevant and out of date, APD said.