France is going after the pesky online trackers known as cookies — and showing the world it’s not afraid to flex its muscles against Big Tech.
By announcing fines of €150 million for Google and €60 million for Facebook early on Thursday, the French privacy watchdog CNIL went much further than other EU watchdogs have gone to rein in the trackers, which allow advertisers to target people with tailored ads as they move around the internet.
The fines — first reported by POLITICO and levied for failing to allow French users to easily refuse cookies — come after the CNIL made tackling the tracking technology a key priority in early 2021. Cookies, the tracking tools responsible for irritating consent pop-ups and ads that follow you around the internet, are regularly decried as the scourge of the web, one that Paris has vowed to stamp out.
Blocked by Europe’s flagship General Data Protection Regulation from acting directly against some of the internet’s biggest players because of that rulebook’s enforcement mechanism, the French watchdog has chosen to use another set of EU privacy rules to rein in widespread cookie practices.
Under the e-Privacy Directive, the CNIL is free to take direct action against companies that otherwise would be overseen by the Irish Data Protection Commission, because the GDPR gives prime enforcement power to the country where the company is legally established. Many tech companies have their EU bases in Dublin.
“This topic is really a priority of our control policy this year, and if necessary these controls could be followed by formal notices, public or not, and financial penalties, public or not,” CNIL boss Marie-Laure Denis said in an interview last year.
As part of that drive, the watchdog has already imposed almost €350 million in financial penalties against Big Tech (it fined Google, again, and Amazon in late 2020), and warned more than 90 companies about their lack of compliance with cookie rules. So far, that trumps Ireland’s total of just over €225 million in fines against Big Tech, meted out in penalties for Twitter and WhatsApp for GDPR failures.
The French regulator has so far zoned in on two key violations: failing to allow users to refuse cookies as easily as it is to accept them, and automatically placing cookies on people’s devices before they even have a chance to accept or refuse them. These are widespread violations across the web, but so far only the CNIL seems serious about tackling them.