It is hard to believe that the so-called cookie law is almost 20 years old. Despite that, companies still struggle with compliance – including the some of the world’s leading technology companies.
The law is much maligned for not enhancing privacy and, at the same time, being anti-business. While many have been calling for a change (including the UK government) it still remains the law and needs to be complied with.
CNIL Action: Google and Facebook
To remind us of this, the French privacy regulator (the CNIL) issued large fines against Google and Facebook, €150 million and €60 million respectively, for breaching Article 82 of the French Data Protection Act (Privacy and Electronic Communications Directive 2002).
Following an investigation prompted by numerous complaints, the tech giants were penalised because visitors to the site were greeted with cookie banners that permitted a one-click acceptance of cookies, in contrast to a far more complicated method of rejecting cookies. In order to reject cookies, visitors would have to complete several additional steps customising cookie settings.
The balance of a one-click acceptance compared to multi-step rejection, in the CNIL’s view, does not allow visitors to freely provide their consent for cookie collection and they saw this as a fundamental breach of cookie consent regulation.
Key Take Aways
So what lessons can other companies learn to ensure they aren’t subject to similar fines?