The fines are noteworthy as they reinforce the message that companies need to comply not only with the GDPR but also with any other laws that may apply to their websites, online activity, user or customer tracking and business model generally.
These fines were based on the EU e-Privacy Directive (in force prior to GDPR) which can often be overlooked, or, in relation to which many websites, historically, did not properly comply.
Regulators have been warning in recent times of poor compliance in the past and an increased enforcement drive. We are now seeing that.
The fines against Google amounted to €150 million (€90m for Google US and €60 million for Google Ireland) due to failures to meet various consent and information requirements. Facebook was similarly fined €60 million.
In the past, some companies adopted certain website, cookie and tracking practices that were not compliant (in whole or in part)—for example, saying that a user’s continued browsing would amount to consent or not properly drafting or constructing cookie pop-up banners. Under European laws, (unless in a narrow category of exempted cookies) certain clear information needs to be given and clear consent obtained before cookies are dropped.
The CNIL highlights in this instance that while there was a clear button to immediately accept cookies there was no equivalent button to easily refuse them, conversely, there were numerous clicks and actions required to refuse all.
Given desire for speed and ease of use of websites, this was viewed as being likely to drive people to accept all when they may not really wish to and hence impact freedom of choice.
These fines are also significant as they serve as a further reminder that anyone engaging in online tracking, profiling, online advertising, website data monetization and so on, needs to urgently review their practices for not just GDPR compliance but also for the e-Privacy Directive.
This is the case even if you are based in the US or another non-European location and even if you have engaged in some corporate structuring to try to mitigate risks. Here, Google US still found itself investigated and fined by CNIL (and even though it had set up Google Ireland).
In addition, the “one stop shop” mechanism under GDPR did not prevent the French regulator from taking direct action here (and even if the Irish regulator did not).
The e-Privacy Directive applies across all EU countries and the UK, and some past common practices are not lawful. In many cases, updates will be needed to avoid the risk of fines.
We recommend businesses now review practices carefully in light of this latest enforcement and bearing in mind the status quo likely won’t meet requirements.