CNIL gives Facebook 3 months to fix consent or face sanctions

France’s Data Protection Regulator, the CNIL, has issued Facebook with a formal notice which states that it expects the company to comply with France’s Data Protection Act within three months. The issue in question is about fair collection of personal data of Internet users who do not have a Facebook account. The CNIL says that Facebook must provide account holders with the means to object to the use of their data for advertising purposes.

The letter is in similar vein to action seen last year by Belgium’s DPA who imposed on Facebook a fine of 250,000 Euros per day (PL&B International Report December 2015, p.1). In both cases, Facebook has responded that the cookie collecting the data is necessary for security purposes.

The CNIL says that a DPA working group, composed of France, Belgium, the Netherlands, Spain and the state Data Protection Commissioner of Hamburg (the location of Facebook’s head office in Germany), was set up in March 2015 to investigate the issue. The CNIL now finds that:

  • Facebook collects, without providing prior information, data concerning the browsing activity of Internet users who do not have a Facebook account. Indeed, the company does not inform Internet  users that it sets a cookie on their terminal when they visit a Facebook public page (e.g. page of a
    public event or of a friend). This cookie transmits to Facebook information relating to third-party websites offering Facebook plugins (e.g. Like button) that are visited by Internet users.
  • The social network collects data concerning the sexual orientation and the religious and political views of account holders without their explicit consent. In addition, Internet users are not informed on the sign-up form with regard to their rights and the processing of their personal data.
  • The website also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.

“The purpose of this notice is not to decide on the company’s behalf which practical measures must be implemented, but rather to ensure that it complies with the law, without such compliance having any negative impact on its business model or innovation capacity,” the CNIL says. “This notice is not a sanction and the procedure will be publicly closed if the companies comply with the French Data Protection Act within the time limit.”