Deliberation of the Restricted Committee concerning Facebook Ireland Limited

€60,000,000 in fines

Excerpt

The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.

Our analysis

When a user in France visits Facebook's website, they can easily agree to the deposit of advertising cookies by clicking on the "Accept cookies" button on the first window. However, to refuse these cookies, the user must complete three separate actions. First, they must click on the "Manage data settings" button located above the "Accept cookies" button in the first window. Second, they must scroll down the entire content of the second window, specifically to establish that the two sliding buttons allowing the deposit of advertising cookies are disabled by default. Finally, they must click on the "Accept all" button located at the bottom of this second window.
The restricted committee has concluded that this complex mechanism for rejecting cookies amounts to discouraging users from refusing cookies and encouraging them to favor the "Accept cookies" button. The methods used by Facebook to express choice in refusing cookies skew the expression of choice in favor of consent and alter freedom of choice. By having to click on "Manage data settings" and understanding the setup of the page to reject cookies, the user is likely to become discouraged and ultimately choose to accept cookies. Additionally, the information referring to acceptance/rejection of cookies was unclear, making it difficult for users.
Facebook's website utilizes deceptive patterns, such as forced action, obstruction, and hidden information, to discourage users from refusing advertising cookies and to favor the "Accept cookies" button. By doing so, Facebook has violated several laws, including Article 82 of the French Data Protection Act, Article 4(11) of the GDPR, and Article 5(3) of the ePrivacy Directive. Facebook's use of deceptive patterns is counter-intuitive, as users must click on a button titled "Accept cookies" to refuse the deposit of cookies. This method instead encourages the user to believe that it is not possible to continue browsing if they refuse the deposit of advertising cookies.

Outcome

The CNIL imposed a fine of €60,000,000 on Facebook Ireland Limited for violating Article 82 of the Loi 'Informatique et Libertés'. Facebook was also ordered to simplify its methods for obtaining consent from French users to read and write information on their terminals. The CNIL attached a penalty of €100,000 per day of delay to the injunction, with proof of compliance required within three months. The decision was made public on the CNIL and Légifrance websites, with the company's name to be removed after two years.

Parties

CNIL - French Data Protection Authority and Facebook Ireland Limited

Case number

SAN-2021-024

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us