European Cookie Rules Continue To Evolve

Written by: Richard Sheinis, Esq.

CNIL, the French Data Privacy Supervisory Authority, has fined Google 150 Million Euros, and Facebook 60 Million Euros, for having websites that do not make refusing cookies as easy as accepting them.  Prior GDPR guidance, and rulings from various supervisory authorities, required that websites using cookies have a cookie banner that allows individuals to accept or reject different categories of cookies on an individual basis.  We are now all used to seeing cookie banners that have a button on a website home page allowing the viewer to view individual cookie settings, and a button that allows the viewer to accept all cookies with one click.

Generally, these banners do not have a button that allows the viewer to refuse all cookies with one click.  CNIL found that neither Facebook nor Google websites had a button that allowed viewers to refuse all cookies with one click.  Therefore, it was easier for viewers to accept all cookies, than to refuse all cookies.  CNIL ruled that this inequivalence in the ease with which a person could refuse all cookies or accept all cookies, affects the viewers freedom, of consent.  The fact that viewers could not refuse the cookies as easily as they can accept them unfairly influences their choice in favor of consent.  This constitutes an infringement of Article 82 of the French Data Protection Act.

Although other supervisory authorities in EU member states have not made a similar ruling, we should consider this ruling by CNIL to be instructive.  The requirement to have a refuse all cookies button equally available with an accept all cookies button, is likely to be required throughout the EU and applicable to any company subject to GDPR.