France’s data protection agency has fined Google $170 million and Facebook $68 million for making it too confusing for users to reject cookies. The companies now have three months to change their ways in France.

With Facebook, CNIL notes that in order to refuse cookies, French users first have to click on a button labelled “Accept cookies”. Such labelling “necessarily generates confusion,” says CNIL, leading users to believe they have no choice in the matter.

With Google, the problem is one of asymmetry rather than mislabelling. CNIL notes that the company’s websites (including YouTube) allow users to accept all cookies with a single click. But, to reject them, they have to click through several different menu items. Clearly, users are being steered in a particular direction that just so happens to benefit Google.

EU law states that when citizens hand over data online, they must do so freely and with a full understanding of the choice they are making. CNIL’s judgement is that Google and Facebook are essentially tricking their users, deploying what are known as “dark patterns” — a style of subtly coercive user interface design — to wangle consent and so breaking the law. Hence the fines and the demand that the companies change their cookie UI design within three months. Failure to do so risks additional fines of €100,000 per day, says CNIL.

The problem is that GDPR enforcement is funnelled through the data watchdog of Ireland, where many US tech firms locate their European headquarters. That particular agency has proved itself to be a little slow in running down such complaints, which — only a cynic might suggest — is part and parcel of the friendly regulatory environment cultivated by the Irish state to attract US tech money in the first place. CNIL has also previously used ePrivacy to fine Google and Amazon on similar issues.