New cookie consent popup launched by Google following CNIL fine

Google is rolling out a new cookie consent pop up, after receiving a fine from the CNIL under the EU GDPR.


Google recently shared a preview of its new cookie consent popup. This new popup will initially be available on YouTube in France. However Google has expressed that it plans to roll out the new design across all Google services in Europe. This new cookie consent popup comes a few months after the CNIL of France fined Google €150 million for breaching data protection law. According to CNIL, Google failed to comply with current regulation with regard to presenting tracking choices to users with the previous cookie consent popup. Not only has the text been updated, but more importantly, the choices offered at the bottom of the cookie consent popup are very different.


Google made some drastic changes to the choices offered at the bottom of the new cookie consent pop up.


The choices at the bottom of the screen, as will be reflected in the new cookie consent popup, are radically different. With the old design, users had two options — “I Agree” and “Customize”. With the old popup, users who clicked on “Customize”, would be taken to a separate web page with several options. In order to disable all personalization settings, they would have to click “off” three times and then click confirm. In the new design, there is now a third option, a “Deny All” button that lets users opt out of tracking altogether with a single click, with the two main buttons being the same color, size and shape. Under the EU GDPR and the ePrivacy rules, online services have to obtain clear consent from their users before they can process not-strictly necessary cookies data. Consent must be informed, specific and freely given in order for it to be legally obtained. The new approach will allow Google to get more meaningful consent from users.


Inspired by guidance from the CNIL, under the EU GDPR, Google has overhauled its approach to managing cookies.


After the initial roll out of the updated popup on YouTube in France, Google plans to use the same design for its search engine as well across the European Economic Area, the U.K. and Switzerland. Many users won’t see the updated popup. Users who are already logged into a Google account have settings that are already stored in their profiles. Also, people who are using Google Chrome more than likely have their web browser tied to their Google accounts if they have ever logged into a Google service in the past. New users will soon experience more options with the new cookie consent popup. Existing users can however review their privacy settings. “Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote in a recent blog.

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

GDPR consent data protection officer

GDPR consent explained by WP29

GDPR consent requirements, one of the most difficult GDPR areas for businesses to comply with, have been further explained by Article 29 Working Party. This is our choice of highlights from the new GDPR Consent Guidelines.

GDPR consent data protection officer

Imbalance of power does not in all cases preclude valid GDPR consent

Although cases of consent by employee to employer are generally viewed with suspicion by WP29, EU’s top body for data protection clarifies some cases of such consent may be coercion-free. In some cases that do not essentially affect employment relations, employers may be able to offer meaningful, non-punitive alternatives to employees who do not give consent (e.g. alternative desk space of equal quality to people who refuse to consent to being shown on the camera).

Conditionality affecting GDPR consent

In order for GDPR consent to be valid, the provision of the service provided by the business should not be “conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.  This does not fully exclude the possibility of obtaining a valid consent at the point of contracting. However, where consent is refused, the alternative service provided should be “genuinely equivalent” including in terms of “no further costs”.

Layout of a valid GDPR consent

GDPR consent rule prohibits hiding consent in other ‘Terms and Conditions’. But this does not prohibit layered notices as such, especially if one considers ‘small screens’ or otherwise limited space to accommodate information.

Do you require assistance preparing for GDPR and manage your data protection obligations once GDPR becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.