EU Regulation 2016/679 - Decision Register

DECISION OF THE CNIL / SAN-2021-023 / 6 JANUARY 2022

Google €150 Million CNIL Fine, 2022 Cookie Banner Decision Explained

France's data protection authority fined Google LLC €150 million (and Google Ireland a further €90 million) for cookie-banner designs that made refusing cookies harder than accepting them. The decision crystallised the 'refuse as easily as accept' standard.

Fine amount

€150,000,000

Issuing DPA

French CNIL

Decision date

6 January 2022

Status

Final

Articles cited

Art 82 LIL / ePrivacy 5(3)

EDUCATIONAL ONLY

This page is a reference summary of a published regulator decision. It is not legal advice. Consult a qualified data protection lawyer for advice on your specific situation. The UK GDPR is a separate regime from the EU GDPR following Brexit. Always read the source decision in full before relying on any figure or quote.

DECISION SUMMARY

What happened

On 6 January 2022, the Commission Nationale de l'Informatique et des Libertés (CNIL) imposed sanctions totalling €150 million on Google LLC and €90 million on Google Ireland Limited, with a parallel €60 million sanction against Facebook Ireland Limited (now Meta Platforms Ireland). The aggregate €300 million enforcement day was the largest in CNIL history at the time and is the leading authority on cookie-banner user-interface obligations in the EU.

The complaints originated with individual users and the French digital-rights NGO La Quadrature du Net, who reported that the cookie banners on google.fr, youtube.com and facebook.com (in their then-current versions) did not allow users to refuse cookies as easily as accept them. The first-screen design typically offered a prominent "Accept all" button. The refusal path required either clicking "Manage settings" or "Customise" to reach a second screen, then making multiple per-category selections, then confirming. The structural asymmetry between accept and refuse was the central issue.

The decision is significant because it applies the ePrivacy Directive (and its French implementing law) rather than the GDPR itself, though the substantive concept of consent is shared. Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) requires that storing information on, or accessing information from, a user's terminal equipment requires the user's consent. Article 4(11) GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement". The CNIL's analysis is that consent cannot be freely given where refusing requires materially more user effort than accepting.

What the CNIL found

The CNIL conducted a documented walkthrough of the Google cookie banner UX. On google.fr, it found that the first screen offered "Accept all" as a single-click action, but no equivalent "Reject all" option. To refuse all cookies, a user had to click "More options", then navigate to a second screen with multiple per-category toggles (default on for most), then deselect each toggle, then click "Confirm". The asymmetry was stark: accept all was one click; refuse all required at least four interactions across two screens. The CNIL found this design did not satisfy the freely-given requirement of consent.

A secondary finding addressed the youtube.com banner, which had a similar architecture. The decision treated google.fr and youtube.com as separate processing operations subject to separate sanctions, justifying the two-entity sanction structure (Google LLC for google.fr, Google Ireland for youtube.com).

The CNIL also addressed the proportionality of its sanction. It noted the considerable user base affected (tens of millions of French users), the duration of the infringement (continuing from at least early 2020), the financial advantages drawn by Google from advertising revenue dependent on cookie-based tracking, and the failure of Google to address the design issue notwithstanding warnings from the CNIL and from the EDPB Guidelines 05/2020 on consent (which explicitly identified asymmetric accept/refuse UX as non-compliant).

The injunction component

Alongside the financial sanction, the CNIL issued an injunction requiring Google to provide French users with a refusal mechanism as simple as the existing acceptance mechanism, within three months of the decision notification. The injunction was accompanied by a penalty of €100,000 per day of delay. Google complied within the three-month period by rolling out a revised banner with "Reject all" alongside "Accept all" on the first screen.

Why this case matters

The "refuse as easily as accept" principle has now been adopted as a baseline standard for cookie banners across the EU and the UK. The CNIL applied it to Google and Facebook in January 2022, to Amazon (€35 million, December 2020), to Microsoft (€60 million, December 2022), and to several smaller controllers. The German federal regulator, the Spanish AEPD and the Italian Garante have endorsed the same standard in their own enforcement.

The practical consequence for controllers is concrete: a cookie banner must offer a refusal action that is no more burdensome than the acceptance action. In practice, this means either both options on the first screen with equal visual weight, or both options on the first screen with the refusal as the default state. Multi-click refusal paths, hidden refusal options, and dark-patterns favouring acceptance all fall foul of the principle.

The case also illustrates a broader regulatory architecture point. Cookie consent is governed by ePrivacy, which is a Directive (requiring national implementation) rather than a Regulation. Each Member State's data protection authority enforces cookie consent under national law (Article 82 of the French Loi Informatique et Libertés, the UK PECR equivalent, the German Telemedia Act, etc). The proposed ePrivacy Regulation, which would replace the Directive with a directly-applicable instrument harmonised at EU level, has been under negotiation since 2017 and remains pending. Until it is adopted, cookie enforcement is fragmented across 27 Member States, which leaves the CNIL as arguably the most influential single authority because of the scale of its enforcement.

FREQUENTLY ASKED

About the Google €150 million cookie fine

Why did the CNIL fine Google €150 million for cookies?
The CNIL found that Google's cookie banner on google.fr and youtube.com did not allow users to refuse cookies as easily as accept them. The 'Accept all' button was a single click; refusing cookies required navigating to a second screen and making multiple selections. The CNIL found this breached the requirement under Article 82 of the French Data Protection Act (implementing Article 5(3) of the ePrivacy Directive) that consent to store or access information on terminal equipment be freely given.
Why is this a French law fine and not a GDPR fine?
Cookie consent specifically is governed by the ePrivacy Directive (2002/58/EC), implemented in French law through Article 82 of the Loi Informatique et Libertés. This is a separate framework from the GDPR, with separate enforcement powers for the CNIL. However, the substantive concept of consent under Article 82 LIL is interpreted by reference to the GDPR definition in Article 4(11) and the EDPB guidelines. So a 'cookie fine' is enforced under ePrivacy, but the substantive analysis tracks GDPR consent principles.
What about the €60 million Facebook fine on the same day?
On the same day (6 January 2022), the CNIL issued parallel fines totalling €210 million: €150 million to Google LLC, €90 million to Google Ireland Limited, and €60 million to Facebook Ireland Limited. All three fines concerned cookie-banner UX, on the same legal theory. The combined €300M sanction was the largest CNIL enforcement day to date.
Has Google changed its cookie banner?
Yes. Google rolled out a revised cookie banner across European Google services in April 2022, adding a 'Reject all' button alongside 'Accept all' on the first screen of the banner. Subsequent CNIL communications acknowledged that the redesigned banner addressed the specific criticisms in the January 2022 decision.
Did the CNIL also fine Google for analytics in 2022?
Separately. In February 2022, the CNIL issued enforcement notices to multiple French website operators (not Google itself) finding that the use of Google Analytics in its then-current configuration breached Chapter V GDPR (transfers to the US under Schrems II). These were separate decisions on a separate legal basis, but they illustrate that Google's services touched multiple CNIL enforcement priorities at the time.
How does the CNIL calculate cookie fines?
Cookie fines under Article 82 LIL have their own statutory ceiling, capped at €20 million or 4% of global annual turnover, mirroring the GDPR Article 83(5) framework. The CNIL applies analogous proportionality factors, including the gravity of the infringement, the number of users affected, the duration, the size of the controller, and any aggravating/mitigating circumstances.

CROSS-REFERENCES

Related entries on this register

ARTICLE 7

Article 7 Consent & Cookie Enforcement

The consent-and-cookies framework with this Google decision as the leading authority.

Open reference →

SUPERVISORY AUTHORITY

French CNIL Profile

Europe's leading cookie-enforcement authority. Profile and full enforcement record.

Open reference →

RELATED CASE

Amazon €746M CNPD Fine (2021)

Different DPA, different mechanism, same advertising-consent theme.

Open reference →

RELATED CASE

Meta €1.2B DPC Fine (2023)

Chapter V transfers case from a related controller and DPA.

Open reference →

ECONOMICS

Compliance Cost vs Fine Cost

How an Article 82 LIL-compliant cookie banner compares to a €150M fine.

Open reference →

REGISTER

Full Decision Register

Every major indexed fine.

Open reference →

SOURCES & CITATIONS

Primary sources

Figures as of May 2026. Verified against published DPA decisions.

REGISTER UPDATED 2026-04-28