Google LLC – Violation Found (France, 2023)

This decision follows from a previous decision of the French DPA (SAN 2021-023 of 31 December 2021), in which said DPA fined Google LLC €90,000,000 and Google Ireland Limited €60,000,000 for violating Article 82 of the French Data Protection Act. This Act transposes the ePrivacy Directive into domestic French law. Article 82 of the French Data Protection Act is the national equivalent to Article 5(3) of the ePrivacy Directive (2002/58/EC), which stipulates that the storing of user information or the gaining of access to information already stored, is only permitted on the condition that the user has already given their informed consent. The French DPA had fined Google LLC and Google Ireland Limited in decision SAN 2021-023 for failing to offer users a way of rejecting cookies. It ordered Google to bring its processing activities into compliance and imposed an additional periodic fine of €100,000 per day if Google failed to bring its processing activities into compliance within 3 months. On 24 April 2022, Google sent the French DPA its proposed cookie amendments, which included a button titled "reject all." Between April and June 2022, Google sent further information to the French DPA, and on 5 August 2022, the French DPA re-investigated the matter to ensure that the updated cookie system was compliant. On 25 January 2023 the French DPA requested further information from Google on their system, which Google provided on 28 April 2023. The French DPA held that Google's updated cookie system was compliant, as the implementation of the "reject all" button offered a means of users refusing the storage of and access to their information, pursuant to Article 82 of the French Data Protection Act. Consequently, the French DPA decided to dismiss the periodic fine of €100,000 per day in the case of non-compliance, as the updated cookie banner was lawful.