CNIL, France’s data protection authority, on Thursday issued the companies with a three-month ultimatum “to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” 

“Failing to do so will come with the risk of an additional daily fine of €100,000,” CNIL said in the statement. 

The latest penalties follow probes by the watchdog looking at companies’ compliance with new rules on cookies, which are tracking devices that are placed on people’s computers. The watchdog in 2020 fined Google €100mln and online shopping giant Amazon.com Inc. €35mln for placing such cookies on people’s computers without their consent.

EU data protection regulators’ powers have increased significantly since the bloc’s so-called General Data Protection Regulation, or GDPR, took effect in May 2018. The law allows watchdogs for the first time to levy penalties of as much as 4% of a company’s annual global sales.

The latest fines were levied based on separate rules regulating the use of cookies and other online tracking devices.

Google said in a statement that people trust us to respect their right to privacy and keep them safe and that the company understands its responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the European Union’s e-privacy rules. 

Facebook said it’s reviewing the authority’s decision.

“Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls,” the social media company said.