France opens up new front against Big Tech with 'cookie banners' enforcement

05 Jul 2021 11:36 am by Matthew Newman

Cookies

“Cookie banners” on websites could be subject to a crackdown among EU privacy regulators, led by France, even as talks on updating the e-Privacy Directive remain stalled.

The EU directive was last updated in 2009 to include limits on advertising cookies — trackers placed in web browsers that gather data on users’ habits and send them to advertisers. The proposed update would make those restrictions more explicit, but has been stuck in the legislative process for years, with few recent signs of progress.

Against this background, France is forging ahead with its enforcement of the old directive, threatening the fast-growing business around behavioral advertising. Big Tech and French digital businesses alike have a lot at stake.

After the General Data Protection Regulation took effect in 2018, websites serving EU users introduced “cookie banners,” which prompt users to allow or reject tracking cookies.

But most of them allow users to accept cookies with just one click, whereas rejecting them takes several. Users are often obliged to delve into complex searches, sometimes several layers into a website, to figure out how to reject cookies.

Small differences in friction build up when encountered on each and every website. As “cookie fatigue” sets in, most users take the path of less resistance and accept the cookies. When they're given a truly free and equal choice, the consent rate drops.

In the absence of new e-privacy rules, France’s Commission Nationale de l'Informatique et des Libertés is cracking down with the tools it has. Publishers, for which personalized ads are much more lucrative than "contextual" ones — where the ad's content correlates to the content of the webpage — are worried.

On May 18, the CNIL put 20 organizations on formal notice that they had a month to bring their websites into conformity with France’s cookie guidelines. On June 29, the CNIL said all 20 were in line with the rules, but warned that “other formal notices could be issued and several sanctioning procedures have already been launched”.

French companies first?

There are also some fears among French companies that they could be targeted before those based outside the EU, putting them at a competitive disadvantage.

The CNIL declined to name which companies are under investigation. But according to a survey by Journal du Net, a digital-focused news site, 86 percent of the 185 most-visited sites in France indeed allow users to refuse the placement of cookies or to "continue without accepting." But for companies based outside of the EU, only 25 percent of sites — 24 in total — apply the same rules for their French sites.

Gwendal Le Grand, CNIL’s deputy secretary general, said in an interview with the Journal du Net last month that there's no discrimination in favor of foreign companies.

“There is no sense of impunity because the rules apply to everyone. International actors are and will also be sanctioned,” he said.*

“The CNIL has around 30 open procedures against French and foreign players and several sanction procedures, not to mention the investigation of complaints. The CNIL will continue to pursue all sites, including foreign sites, until they become compliant. This is one of its priorities,” he added.

The question for many Big Tech companies, such as Google and Facebook, is whether the CNIL will follow through with its threats, or if they will be given more time to get their sites in order. The regulator has put them on notice that they could face fines of up to 2 percent of global revenue if they fail to comply with the cookie guidelines.

Jurisdiction

France’s push to enforce its cookie guidelines, which went into effect in October 2020, has already resulted in major fines against Big Tech. In December 2020, the CNIL fined Google 100 million euros ($119 million) and Amazon 35 million euros under the national Data Protection Act, which implements the e-Privacy Directive. The fines concerned their cookie practices, though not cookie walls specifically.

France can pursue US tech companies despite the GDPR's "one-stop shop" mechanism, under which companies face enforcement in only one country: the one where they have their EU headquarters. For most US tech companies, the regulator is in Ireland as they’ve decided to base their operations there.

Last month, the EU’s top court ruled that the "one-stop shop" mechanism doesn’t apply to the e-Privacy Directive, in a case pitting the Belgian regulator against Facebook over its use of cookies.

Setting the example

Another question is to what extent other EU countries might follow France’s example as it cracks down on cookie banners. Each EU country implements the e-Privacy Directive differently: In some, enforcement is through the data protection authority, but in others it’s the telecom regulator.

Ireland will be an interesting one to watch, since it's already investigating Google, Facebook and Twitter for possible data privacy violations under the GDPR. The Irish Data Protection Commission issued guidance on cookies in April 2020 that suggests an equally tough line to the French.

“If you use a cookie banner or pop-up, you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them,” the guidance said.

“Therefore, if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or to one which allows them to manage cookies and brings them to another layer of information in order to allow them do that, by cookie type and purpose.”

This approach could lead to the type of enforcement envisaged by the CNIL, all across Europe, even if the e-Privacy Regulation takes years to get through the EU legislature.

*MLex translation from the original French.

Related Articles