It is hard to believe that the so-called cookie law is almost 20 years old. Despite that, companies still struggle with compliance – including the some of the world’s leading technology companies.
The law is much maligned for not enhancing privacy and, at the same time, being anti-business. While many have been calling for a change (including the UK government) it still remains the law and needs to be complied with.
CNIL Action: Google and Facebook
To remind us of this, the French privacy regulator (the CNIL) issued large fines against Google and Facebook, €150 million and €60 million respectively, for breaching Article 82 of the French Data Protection Act (Privacy and Electronic Communications Directive 2002).
Following an investigation prompted by numerous complaints, the tech giants were penalised because visitors to the site were greeted with cookie banners that permitted a one-click acceptance of cookies, in contrast to a far more complicated method of rejecting cookies. In order to reject cookies, visitors would have to complete several additional steps customising cookie settings.
The balance of a one-click acceptance compared to multi-step rejection, in the CNIL’s view, does not allow visitors to freely provide their consent for cookie collection and they saw this as a fundamental breach of cookie consent regulation.
Key Take Aways
So what lessons can other companies learn to ensure they aren’t subject to similar fines?
- Ensure that cookie acceptance and rejection options are balanced
- Do not use one-click acceptance, when paired with a labyrinth of steps to reject cookies. Avoid an endless selection of customisable cookies in such scenarios
- If there is no balance, it is unlikely that consent will be validly obtained
- If you utilise one-click acceptance, regulators will expect one-click rejection to feature alongside it
- Make it easy to accept and reject all cookies
Authors
Follow us online
