SaaS Agreements – Cookies – Are your Cookie Banners Compliant

SaaS suppliers and SaaS customers should take note of three recent data protection fines issued against Facebook and Google by the French Data Protection Authority (“CNIL“) for non-compliant cookie banners on their websites.

The fines were issued pursuant to breaches of French Data Protection Law and the GDPR and highlight common non-compliant cookie banner practices that many websites use.

Fines imposed

Google were fined €150 million and Facebook €60 million.

In assessing the amount of the fines, CNIL took into account:

The number of users;
The revenue the companies raised from advertising indirectly generated by the data collected from the cookies; and
The fact that CNIL had repeatedly warned Google and Facebook that they were in breach.

Google

In January 2022 Google LLC and Google Ireland Limited were fined €90 million and €60 million respectively for failing to make it as easy to reject the use of cookies in their cookie banners as it was to accept the use of cookies on google.fr and youtube.com.

Consent Method

The cookie banner displayed on both websites contained a button allowing immediate acceptance of cookies, but no similar means were offered to enable a user to as easily refuse the use of cookies, as:

To refuse cookies, users had to perform at least five actions
clicking on the ‘customise’ button, then clicking on each of the three buttons to select ‘disabled’ – each button corresponding to ‘personalization of the search’, ‘YouTube history’, and ‘ad personalisation’, and finally clicking on ‘confirm’;
To accept cookies users simply needed to click once on ‘I accept’

Breaches

The mechanism for refusing cookies was more complex than the mechanism for accepting cookies. Under French data protection law this amounted to discouraging users from refusing cookies and encouraging them to favour the “I accept” button.

In addition to fining Google, CNIL:

Ordered Google to make their website compliant within three months; and
Provided for additional fines of €100,000 per day to be imposed for non-compliance following the end of the 3 month period.

Facebook

In January 2022 Facebook Ireland Limited (now Meta Platforms Ireland Limited) was fined €60 million for failing to make it as easy to reject consent to the use of cookies as it was to accept cookies on facebook.com.

Consent Method

When a user accessed facebook.com, a pop-up window “Accept cookies from Facebook in this browser” appeared. Two buttons “Manage data parameters” and “Accept all” appeared at the bottom of the window. In order to continue browsing, the user was obliged to click on one of the two buttons.

If the user clicked the “Accept all” button they could continue browsing;
If the user clicked the “Manage data settings” button, a new pop-up window appeared, displaying 2 consent slider buttons relating to personalised ads. The two sliders were disabled. However the user had to click on the “Accept cookies” button at the bottom of this window, to continue browsing without any advertising cookies being set.

Breaches

The General Data Protection Regulation, (“GDPR”) states that consent:

Must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or by a clear affirmative action – Article 4(11);
Should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment – Recital 42.

Facebook’s cookie banner did not allow users to refuse cookies with the same degree of simplicity as required to accept them, in breach of the above rules on obtaining consent freely.

In addition to fining Facebook, CNIL:

Ordered Facebook to modify its methods for collecting consent to the use of cookies by offering users a means of refusing cookies as simple as the mechanism provided for acceptance of cookies; and
Provided for additional fines of €100,000 per day to be imposed for non-compliance following the end of the 3 month period.

CNIL also decided to publish this decision despite Facebook requesting that it did not do so. CNIL justified publication on the grounds of the seriousness of the infringement in question, the scope of the processing, and the number of people concerned.

Summary

In light of the above, SaaS suppliers and SaaS customers should ensure that their cookie banners are not adopting such practices. Many EU member state data protection authorities are now pro-actively checking cookie banners and are imposing larges fines and enforcing compliance for breaches.

Many national data protection authorities have published their own detailed cookie guidelines and these guidelines should be followed in the applicable jurisdiction.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

Name	Borlabs Cookie
Provider	Borlabs - Benjamin a. bornschein
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Privacy Policy	https://borlabs.io/privacy/
Cookie Name	borlabs-cookie
Cookie Expiry	180 days

Accept	Google Analytics
Name	Google Analytics
Provider	Google Inc.
Purpose	Cookies are set by Google and are used for website analytics and performance measurement. Cookies create statistical data on how visitors use our Site.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga ; _ga_*
Cookie Expiry	_ga : 1 year 1 month, _ga_* : 1 year 1 month