CNIL has recently lifted an injunction placed on Facebook last December, regarding the company’s use of cookies.
Last December, CNIL ordered Facebook Ireland Limited to allow the use of facebook.com by users in France, in a manner that allows these users to refuse having cookies deposited on their device, just as easily as they are able to accept them. This is a stipulation required by Article 82 of the French Data Protection Act, to allow users to give true consent to those cookies. According to this report from CNIL, Facebook was required to comply with this injunction within three months, as well as pay a fine of €60 million. Any delay in complying with this, would have been met with a penalty of €100,000 per day, as per the Facebook cookie injunction imposed on December 31st 2021.
The Facebook cookie injunction was lifted after the company made necessary changes to its cookie banner.
CNIL noted that the changes made by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) were accomplished within the timeframe necessary. This change includes the inclusion of an “Only allow essential cookies” button above the button for acceptance of all cookies — the “Allow essential and optional cookies” button. CNIL saw this change as satisfactory for compliance with the injunction and therefore had the injunction lifted, and closed that case on July 11, 2022.
This change particularly relates to the scope of the injunction issued in the deliberation by CNIL on December 31, 2021.
This decision to lift the injunction does not prejudge CNIL’s analysis of the compliance of the new cookie consent windows deployed on the “facebook.com” site as it relates to all the provisions of Article 82 of the French Data Protection Act. This decision does not relate, in particular to the company’s requirement to provide “clear and complete” information to users or to obtain user consent for each purpose. As a result, CNIL still reserves the right to preside over the compliance of the “facebook.com” site moving forward, with regard to these other requirements and, if necessary, to mobilize law enforcement.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.