Google and Facebook fined millions for aggravated cookie refusal

The French data protection authority CNIL fined Google 150 million euros and Facebook 60 million euros. 

The reason, according to the restricted committee, the body of the CNIL responsible for issuing sanctions: ” Several clicks are required to refuse all cookies, against a single one to accept them.” (see

In Germany, too, it is widely practised, despite a clear legal situation, for websites to make it more difficult to refuse versus accept cookies, as shown here on the example of the website (as of 07.01.2022):

A reject button is not even visible at first. Thus, at least one additional click is necessary to use the website without cookies.

According to Art. 7 GDPR, the revocation of consent (the rejection) must also be as simple as the consent itself. Rejection is not permitted to be made more difficult than consent by requiring more clicks.

It remains to be seen whether website operators in Germany will also have to fear penalties in the millions due to illegally designed content dialogues. What is clear, however, is that the possibilities for sanctions have increased once again as a result of the TTDSG, which came into force in December 2021. In addition, there is a first court ruling from Hessen, Germany, according to which those affected can also sue for injunctive relief directly in summary proceedings. Not to mention the waves of mass legal warnings from consumer and data protection organisations such as that of data protection activist Max Schrems (noyb).

We therefore recommend reviewing the design of the consent dialogue used. Not only with regard to the equivalent design of consent and rejection options, but also with regard to further pitfalls. See our article Assistance with the legally compliant design of consent banners is also provided in the handout on data protection compliant consent on websites and on requirements for consent layers by the Lower Saxony data protection authority.

Scroll to Top