Cookies and consent: French Data Protection Authority strikes hard against websites

Internet players are still, unsurprisingly, the favorite target of the French and European authorities in charge of enforcing the protection of personal data and privacy rights.

Google, Amazon, Yahoo, Facebook, are some of the many key operators who have faced sanctions of several tens or hundreds of millions of euros, for multiple non-compliance of their websites or applications to the GDPR and the e-Privacy Directive. The latter are European texts that have been integrated into the French Data Protection Act ("Loi Informatique & Libertés"), constantly updated in recent years according to these new standards of privacy protection. 

The sanctions are in line with the strength of these economic operators and their responsibilities on the Internet, especially regarding the Internet users they address.

The web giants, generally of American or Chinese legal culture, have difficulty adapting to a market that proposes a different balance, aiming at protecting privacy as a priority rather than economic development.

The latest example is the CNIL’s (French Data Protection Authority) decision of December 19th, 2022, imposing a 60 million euros fine on Microsoft (Microsoft Ireland Operations Limited...). This decision handles a particularly interesting subject: consent to cookies.

Cookies, these small pieces of information that are deposited on your computer by the website you visit, the search engine you use, the browser you surf on, or the advertiser that offers you its products through targeted advertising. Some are non-personal information (technical, administrative, statistical...), useful or even essential to the proper functioning of our navigation on the Net: they generally do not require consent. Others are personal (commercial or targeted advertising cookies...) and aim in particular at offering Internet users personalized content or links, thanks to their browsing profile: their consent is then required, with some exceptions.

These cookies are regulated by the French Data Protection Act (Article 82), which is the result of the transposition of several directives relating to personal data in the electronic communications sector, including the e-Privacy Directive, which are distinct from the GDPR. 

They are also the subject of CNIL directives, updated in September 2020. Finally, some rules are also laid down in the french Code of posts and electronic communications. Whether they collect non-personal data (technical, statistical, etc.) or personal data, they are subject to the principles of transparency and, where applicable, consent, which are common to most of the European texts transposed into the Data Protection Act.

Since September 2020, under the terms of the CNIL's directives, the mandatory "cookies" banner on websites must be configured in a more detailed and precise manner when a website is opened, in order to allow the Internet user (i) to be correctly informed of the nature of the cookies, whether mandatory or optional, that are deposited on his or her computer, in order to (ii) be able to select, from among the optional ones, those that he or she wishes to authorize or not. 

The principles governing this configuration are clarity, neutrality and completeness of the prior information, so as not to distort either the understanding or, if required, the consent of the Internet user, which we recall must be "free and informed”.

Let's take an example: among the three buttons usually visible on a cookie banner, "accept", "refuse" or "set/select your cookies", if the "accept" button is more visible (bigger, more colored, better highlighted...) than the others, it could be considered as an attempt to force the user's consent. Similarly, if the settings of optional cookies (requiring consent) do not allow to refuse some of them, it will be a violation of the GDPR.

In this case, the complaints from Internet users concerned Microsoft's search engine "bing.com". The CNIL carried out various checks on this website between 2020 and 2021.

It was found that :

Again, there was also a configuration of the banner that tended to implicitly force consent instead of putting the three options at the same level.

In its exchanges with the CNIL, Microsoft pointed out that the cookies in question were "multi-functional" and that most of their functionalities fell under the two exceptions to the mandatory system of prior consent of the Internet user, as provided for in Article 82 of the Act :

Microsoft considered that the purposes pursued by these cookies, whether essential or not, constituted an "indivisible whole", which did not allow for the isolation of non-essential functionalities for which, taken separately, consent might have been required. 

They would therefore fall under these exceptions to consent. Rejecting the idea of inseparability for the assessment of the rules of consent, The CNIL looked instead at the various purposes pursued by these multi-functional cookies.

Noting that at least one of the purposes pursued was contextual advertising, consisting in proposing advertising content according to the context in which the Internet user browses, the CNIL found that it characterized a breach of Article 82 of the Data Protection Act, as this purpose does not fall under the two exceptions to consent.

The CNIL also identified other cookies of an advertising nature, mistakenly deposited on the user's terminal without his consent. According to it, this basic error constitutes, on the part of an actor such as Microsoft, an inexcusable negligence.

Finally, the CNIL denounced the lack of adequate information for the user, as well as the incentive configuration of the cookies banner, within which the acceptance of cookies was facilitated, while their refusal was made more complicated, requiring at least two clicks.

It should be remembered that breaches of the GDPR are punishable by fines of up to 2 or 4% of the worldwide turnover of the accused data controller (Article 82 GDPR). 

In addition, the EDPS, the European authority responsible for coordinating the application of the GDPR by national authorities, published guidelines in May 2022 on how to calculate administrative fines adopted by said national authorities. Fines are imposed on the basis of three main criteria: 

On this basis, the calculation would be carried out, according to these guidelines, in five steps:

In this case the fine was voluntarily set with severity and exemplarity, taking into account these elements, and in particular: 

The CNIL also recalled that Microsoft had had a certain amount of time, after an initial inspection, to comply, which it had not fully done.

As an accessory and procedural matter, it is interesting to note that the CNIL considered itself competent to deal with these facts. Indeed, on the one hand, the "one-stop shop" mechanism of the GDPR, which could have led to a jurisdiction other than the French one, does not apply, since the "cookies" regulation is mainly based on the "e-Privacy" Directive, which has also been transposed into the French Data Protection Act (art. 82) and into the French Post and Electronic Communications Code. On the other hand, the cookies concern websites and activities operated in France by Microsoft France, a French establishment of the Microsoft group, whose data controller in Europe for the "bing" engine is Microsoft Ireland.