Facebook and Cookie Fines? More than indigestion?

Facebook Facing Daily 250K Euro Cookie Fines

Yesterday (10th November) a Belgian court ordered Facebook to stop tracking some non-members across the web. The social media giant was given 2 days to comply, or be issued fines of 250,000 euros per day.

This is undoubtedly the most significant enforcement action taken against any company for the use of cookies without consent, and shows the increased appetite in Europe for privacy law enforcement, which we have seen building for the last two years or more.

The case revolves around Facebook's ‘datr’ cookie, and in particular its use of the cookie with visitors who have not signed up to the service, and therefore have not agreed to Facebook’s terms and conditions or cookie policy.

This cookie can be set on a visitor’s browser when visiting some parts of the site, like company pages, without logging in to the service. Crucially this cookie is then also read by Facebook on subsequent visits to any website that uses the sharing tools, such as the ‘Like’ button. This can happen even without clicking on the button.

The judge in this case has ruled that the datr cookie amounts to personal data. Its use potentially allows Facebook to track individuals across any one of millions of sites, building up a profile.

The ruling has determined that this is not permissible under Belgian law, unless Facebook has explicit consent.

Facebook will of course appeal the decision. It has previously argued that Belgian courts have no jurisdiction as its European operations are centred in Ireland, and therefore subject to Irish law.

Of course Facebook is not the only company that tracks individuals around the web in this way – much of the advertising on the web relies on this kind of data use. However these kind of practices are coming under increasing pressure and scrutiny from regulators and privacy advocates.

However this case turns out, it is yet further evidence that the rules around consent for cookies, and particularly tracking or third parties cookies, are likely to become increasingly used by regulators. We will certainly be keeping a close eye on events.

As the practices are common across almost all major websites, every business with an online presence needs to pay attention to this, and make sure they are compliant. Regular auditing of all sites is an absolute must – but making sure you can show you are getting meaningful consent from users is vital too.