France's CNIL fines may prompt Big Tech to adopt strict rules on cookie consent

France’s privacy watchdog is cracking down on how US Big Tech seeks consent from users for advertising cookies, which may oblige pan-European websites to adopt France’s strict approach.

The Commission Nationale de l'Informatique et des Libertés — France’s active enforcer of data protection rules — levied 210 million euros ($237 million) in penalties today against Google and Meta’s Facebook. It also ordered them to change their practices over violations of French rules that require websites to let users reject cookies as easily as they accept them.

The fines followed the CNIL’s campaign to enforce its interpretation of the EU’s 2002 e-Privacy Directive. It was updated in 2009 to give users control over cookies, which are small files that websites save onto user devices. Some are essential to let users easily navigate the web, allowing sites to store their information.

The problem is that the EU has failed to update its e-privacy rules after the General Data Protection Regulation took effect in 2018, giving privacy watchdogs in the 27-nation bloc the power to issue guidelines on how websites should seek consent from users.

With the prospect of revamping the rules dimming as EU negotiators’ positions remain wide apart, companies face diverse and often conflicting messages about how to enforce cookie rules. Some authorities are more lenient with consent, letting websites place “accept all” buttons on their front pages, with the option of rejecting them buried several layers down on a site with users forced to set complex cookie parameters.

But the CNIL has chosen to take a hard line. In October 2020, the authority issued guidelines on what information must be made available to Internet users and how cookie banners should be worded, forcing websites to give users a binary and simple choice of either accepting or rejecting cookies on the front page.

While other European privacy watchdogs have also published guidelines, the CNIL has been the most active in enforcing them. In December 2020, two Google entities were fined 100 million euros and Amazon Europe Core 35 million euros for violating EU rules on getting users’ consent for advertising cookies and failing to provide adequate information to users.

After a six-month grace period, dozens of French websites, from retailers to government agencies, were told last May they have one month to put their cookie-consent policies in line with guidelines or face fines of up to 2 percent of revenue. Small French websites complained, saying that they were being unfairly targeted when the big players — Google, Facebook and Amazon — were escaping enforcement.

That wasn’t the case, a CNIL official told MLex in an interview last year: “Large players” would also have to comply with the same rules. That much is clear from today’s fines.

More fines ahead?

Now that the CNIL has shown its mettle, it remains to be seen whether other US Big Tech companies will also face hefty fines.

Amazon appears to have received a clean bill of health. Last July, the CNIL said that the amazon.fr website has complied with the decision from December 2020 on users’ consent for cookies and the “means available to them to refuse them.”

Nevertheless, amazon.fr’s website today, as checked by MLex, gives users the choice of “accepting cookies” or “personalizing cookies.” Customers who want to reject advertising cookies must navigate several layers down into the website to save their preferences, seemingly contradicting the CNIL’s guidelines that accepting cookies must be as easy as rejecting them.

That raises the question: Will the CNIL revisit its decision from July following the decisions against Google and Facebook?

Another issue is whether smaller French websites that operate in countries outside of France will choose to follow the French approach and have one policy for cookies that applies across the EU.

If France is the only country leading the charge against websites, some may opt for keeping the status quo. After all, giving users the possibility of rejecting cookies on a website’s front page will inevitably lead to more people opting out of cookies, which will dent the site’s revenues.

It's difficult to gauge the precise impact of users’ rejecting tracking cookies. But French adtech companies have warned that if between 20 percent and 30 percent of users opt out of advertising cookies, there would be serious economic effects on small websites that rely on revenue from targeted ads. The consequences could be even more severe for French publishers, which have seen subscriber numbers decline steadily in recent years.

The question is whether EU legislators will resolve the legal and business uncertainly over interpreting cookies consent rules any time soon. In the absence of clarity, small websites could continue to take the more lucrative path and continue to annoy users with complex cookie consent banners.

Larger pan-European players may decide that the CNIL’s approach — such as requiring a “reject” button on the first level of the cookie banner — may be adopted by other authorities and it’s best to have one cookie consent policy for the entire bloc.