The cost of cookie law infringement on your business

2022 looks to be a busy year for data protection professionals as new legislation both in Europe and the US stands to make an impact on areas such artificial intelligence (AI), digital markets and children’s privacy. Proposed changes to the UK Data Protection Act could also affect how businesses are currently achieving compliance.
In this year’s first issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at new guidance issued by the French data protection authority relating to the reuse of personal data by processors as well as new record sanctions for tech giants Google and Facebook.
Stay on top of the latest developments and what they might mean for you. Our weekly analysis looks at what happened and why it matters, read our complete review below.
What happened
- The French data protection authority (the CNIL) has issued new guidance on the ability of data processors to be able to reuse personal data for their own purposes (e.g. for product development).
- Increasingly, processors would like to know how customers are using their services so they can improve and develop their products and keep pace with competitors.
- The GDPR places strict limitations on what is permissible and states that processors must only act on the documented instructions of the data controller.
- The CNIL’s guidance now makes it clear that processors can reuse personal data for their own purposes where (a) the original controller grants explicit permission, and (b) the new purpose is ‘compatible’ with the original purpose for processing.
- This test for purpose compatibility should consider the data subject’s reasonable expectations and the use of appropriate safeguards (such as pseudonymisation).
Why it matters
- This guidance addresses a question that many service providers have deliberated: when can a processor use personal data it obtains from a controller for purposes broader than just strictly providing services to the controller? For example, can a processor use the data to develop its products or services?
- Following a compatibility test and the explicit permission of the data controller, the CNIL’s guidance further states that the processor would become a controller when reusing the personal data for its own purposes (and therefore be bound by the more onerous obligations faced by a data controller under the GDPR).
- This includes obligations relating to transparency (i.e. providing a Privacy Notice) and lawfulness (e.g. seeking consent from the data subject prior to processing, where applicable).
What happened
- The French data protection authority (the CNIL) has fined Facebook Ireland €60m and Google a total of €150m for failing to allow the users of facebook.com, google.fr and youtube.com to reject cookies as easily as they may accept them.
- Article 82 of the French Data Protection Act requires a website’s cookies banner to contain the option to reject cookies as well as to accept them.
- However, although Google’s and Facebook’s banners contained a button allowing users to instantly accept cookies, it did not offer an equivalent solution to reject the cookies as easily.
- Several clicks were necessary to reject all cookies (3 for Facebook and 5 for Google), when only one click was necessary to accept them all.
Why it matters
- When making its final decision, the CNIL examined the scope of the processing, the high number of data subjects and the substantial profits generated by Facebook and Google from advertising using the data collected through cookies.
- In the UK, the British data protection authority also takes a similar view to the CNIL’s decision stating that organisations emphasising the ‘agree’/’allow’ cookie options over the ‘reject’/’block’ cookie options would not be collecting consent in a compliant way and that this would also be true if the ‘reject’/’block’ option were located in a second layer and the ‘agree’/’allow’ cookie option were available the first layer.
What happened
- Facebook’s parent company Meta is the focus of a major class-action lawsuit in the UK over claims it abused its dominant market position to exploit the personal data of users in the UK.
- The suit states that Facebook imposed ‘take it or leave it’ terms and conditions on its users, utilising their data to build profiles which were then used to generate profit and that users were not recompensed for this.
- The suit will be filed before the UK’s Competition Appeal Tribunal, which will consider whether to allow the case to proceed to trial.
Why it matters
- The case is an opt-out class-action suit, meaning users do not need to join in seeking damages proactively. Unless they choose not to be, anyone who logged onto a Facebook account in the UK during the specified period is included in the case.
- The case will fall under the UK’s Competition Act, and the lawyers involved in the suit will seek compensation of at least £2.3bn for those they say were impacted by the company’s practices between October 2015 and December 2019.
A useful blog post on the key developments expected in data protection and privacy in 2022 can be found here. These include a wave new legislation from the European Union related to AI and non-personal data and developments in the US in both Federal and State privacy laws.