France recently fined Alphabet Inc’s Google $169 million and Meta Platform’s Facebook $67 million on grounds that the companies violated the EU e-Privacy directive (aka the EU “Cookie Law”) by requiring too many “clicks” for users to reject cookies. The result was that many users just accepted the cookies, thus allowing the identifiers to track their data. The French regulator gave the companies three months to come up with a solution that makes it as easy to reject cookies as it does to accept cookies. This is an important message for all companies as they review their cookie compliance in 2022 – make it as easy to refuse a cookie as it is to accept one.
It is interesting to note that these recent fines were not issued under GDPR, but rather under the older e-Privacy directive which has been in effect since 2002. Unlike the GDPR, which only allows regulators to fine companies that have their European headquarters in that country, regulators can issue fines under the e-Privacy directive against any company that does business in its jurisdiction.
The EU Cookie Law (which is not actually a law, but a directive) came into effect in 2002 and was amended in 2009 (amendment effective since 2011). This directive regulates the processing of personal data in the electronic communications sector, and specifically it regulates the use of electronic cookies on websites by conditioning use upon prior consent of users. Unless cookies are deemed strictly necessary for the most basic functions of a website (e.g., cookies that manage shopping cart contents), users must be given clear and comprehensive information about the purposes of processing data, storage, retention, and access, and they must also be able to give their consent and be provided with a way to refuse consent.