The agency, known as CNIL, said the companies’ actions violated the French Data Protection Act. Apart from these fines—€60 million for Facebook and €150 million for Google and its video-streaming business—it gave them three months to change how their cookie acceptance/rejection mechanisms work, or face further penalties of €100,000 a day.

Europe’s tough online privacy regime really kicked into gear last year, when fines under the previously less-than-feared General Data Protection Regulation (GDPR) totaled more than €1 billion, mostly thanks to blockbuster fines for Amazon and WhatsApp, levied in Luxembourg and Ireland respectively.

CNIL’s latest fines, however, were underpinned by a different piece of EU legislation: the ePrivacy Directive, which was transposed into French law some two decades ago. Popularly known as the “cookie law,” this ancient (in internet time) rulebook was supposed to be replaced five years ago, though the legislative process has repeatedly stalled.

Cookies? Doh!

Users’ consent is central to the cookie law and, according to CNIL, Facebook and Google haven’t been getting it fairly.

“Several clicks are required to refuse all cookies, against a single one to accept them,” the regulator complained regarding Google and YouTube’s websites.

The same applies to Facebook’s website, with one particularly entertaining added wrinkle—per Thursday’s statement: “The CNIL also noted that the button allowing the user to refuse cookies is located at the bottom of the second window and is entitled ‘Accept cookies.’” In all these cases, CNIL said, the mechanisms discourage users from refusing cookies, in a process that “affects the freedom of consent of Internet users.”

“​​We are reviewing the authority’s decision and remain committed to working with relevant authorities,” said a spokesperson for Facebook owner Meta. “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.” 

A Google spokesperson said, “People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”

“Dark patterns”

This is not the first time Facebook and Google have been accused of employing dark patterns—essentially deceptive designs—to manipulate people into weakening their privacy.

A few years ago, shortly after the GDPR came into force, consumer groups from across Europe asked national privacy regulators to investigate dark patterns. The Norwegian Consumer Council (NCC), which spearheaded the push, made a formal complaint against Google to Norway’s data protection watchdog.

However, under the GDPR’s “one stop shop” mechanism, complaints are supposed to be handled by the regulator in the country where the company has its European headquarters—meaning Ireland, for most of Big Tech. So the NCC’s complaint got passed to the notoriously slow and underfunded Irish Data Protection Commission, where it has been languishing ever since.

France’s CNIL avoided this trap by targeting Google and Facebook under the ePrivacy law. As it repeatedly noted in Thursday’s statements, it has the jurisdiction to issue fines for ePrivacy violations on French soil.

“The CNIL decision sends a strong signal that users must be given real and fair choices online, and not manipulated into ‘accepting’ whatever is in the companies’ own interest,” NCC digital policy chief Finn Myrstad told Fortune on Thursday.

Over in the U.S., the Electronic Privacy Information Center (EPIC) has repeatedly complained to the Federal Trade Commission (FTC) about dark patterns. The agency has become more sympathetic to these complaints under the Biden administration. It said last October that it would step up enforcement against dark patterns that “trick or trap consumers into subscription services.”