The Commission Nationale de l’Informatique et des Libertés, the French Data Protection Agency, has issued a 150M Euro fine against Google and a 60M Euro fine against Facebook/Meta for cookie consent violations.

Here are some key takeaways, and their US relevance:

  • It must be as easy to refuse cookies as it is to accept them.
  • An “accept all” button requires one action to accept. A process with a “manage options” that leads you to another screen where you scroll (or unclick) and the click an “accept” button to reject cookies – is three actions. Therefore, the consent is not freely given for the purpose of the ePrivacy directive. (That is important for CCPA/CPRA, where the regs also say that the process for opting out should be as easy as the one for opting in.)
  • The modalities allowing users to consent or refuse must be presented in a clear and understandable manner. In particular, when the refusal can be manifested by simply closing the window for collecting consent or by not interacting with it for a certain period of time, this possibility must be clearly indicated to users on that window. (CCPA and the FTC also require such clear presentation.)
  • You have to provide the information in a clear and complete way so that the user understands the meaning of the choices.
  • It is counter-intuitive to have to click on a button entitled “Accept cookies” to actually refuse their deposit. This encourages the user to think that it is ultimately not possible to continue browsing by having refused the deposit of advertising cookies, since the entire process of refusing cookies is based on information referring to the acceptance of cookies.

If you speak French, you can read more here.