CNIL (Commission Nationale Informatique & Libertés), say they fined Google for about 170 mill. USD and Facebook around 68 mill. USD for breaking french law (and pan-EU) on cookie consent rules.
A regulator said it was acting after receiving a lot of complaints.
CNIL found the pair do not offer an option for users to reject non-essential cookies as easily as they offer for them to accept all tracking.
Here's a snippet from CNIL's Press release:
” … the information given by the company is not clear since, to refuse the deposit of cookies, Internet users must click on a button entitled “Accept cookies”, displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act.”
Under EU law, if consent is a legal basis being claimed for processing people's data, there are strict standards that need to be followed.
Complaints towards Facebook and Google over similar issues regarding consent problems are investigated by the Irish Data Protection Commission (DPC), while - which under the EU's General Data Protection Regulation (GDPR)'s one-stop-shop (OSS) mechanics is the centralized enforcer for most of the big tech.