Advertisers take note! Google has been slapped with a €100 million fine ($120M) for dropping cookies on Google.fr and Amazon €35M ($42M) for doing so on Amazon.fr under the enforcement notices issued today.
The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés) (CNIL) carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.
Interesting to note that in these two cases, the CNIL was found to be materially competent to control and sanction cookies placed by companies on the computers of users residing in France. The cooperation mechanism provided for by the GDPR (“one- stop-shop” mechanism ) would not apply in this case given that the one-stop-shop mechanism only concerns cross-border processing as defined in article 4.23 of the GDPR.
Let’s take a closer look at the two cases:
Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, on the amazon.fr website. These verifications revealed:
The French regulator found that this type of cookies, not essential to the service, can only be placed after the Internet user has expressed their consent. Placing cookies upon arrival on the site is a practice which, by nature, is incompatible with prior consent.
The regulator also found that until the redesign of the amazon.fr site, in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the required information in accordance with article 82 of the Data Protection Act. The instantaneous deposit of cookies, combined with the absence of any information, particularly infringed the rights of Internet users.
As a result AMAZON EUROPE CORE was fined 35 million euros, taking in consideration that Amazon made recent changes made to the amazon.fr site and no more cookies are now placed on the site before the user has given his consent. However the new information banner deployed still does not allow Internet users residing in France to understand that cookies are mainly used to display personalized advertising to them and they are still not clearly informed of their possibility to refuse these cookies.
Therefore, in addition to the fine, the regulator also adopted an injunction under penalty so that the company informs people in accordance with article 82 of the Data Protection Act within 3 months of from the notification of the decision. Otherwise, the company will be exposed to the payment of a fine of 100,000 euros per day of delay.
On March 16, 2020, the CIL carried out an online check on the google.fr website which revealed:
As this type of cookies cannot be deposited without the user having expressed his consent, the regulator considered that two Google companies operating the site GOOGLE LLC and GOOGLE IRELAND LIMITED had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies.
Note: Although GOOGLE LLC, established in California, develops the Google Search search engine GOOGLE IRELAND LIMITED, headquartered in Ireland, presents itself as the European headquarters of the Google group. GOOGLE FRANCE is the establishment in France of GOOGLE LLC
The French regulator found that the information provided by the Google companies did not allow users residing in France to be previously and clearly informed about the deposit of cookies on their computer nor, consequently, of the objectives of these cookies and the means made available to them as to the possibility of refusing them. The regulator therefore considered that the “opposition” mechanism put in place by the companies was partially faulty, in violation of article 82 of the Data Protection Act.
GOOGLE LLC was fined 60 million euros and GOOGLE IRELAND LIMITED 40 million euros.
The amount of the fines was justified by the seriousness of the breach, the reach of the Google Search search engine in France and the fact that the Google corporate practices have affected nearly fifty million users. Finally, the regulator noted the considerable profits that companies derive from advertising revenues indirectly generated from the data collected by these advertising cookies.
Just like with Amazon, the regulator noted that, since an update of September 2020, Google stopped automatically depositing advertising cookies as soon as the user arrived on the google.fr page.
However the new information banner implemented by Google on the google.fr page still does not allow users residing in France to understand the purposes for which cookies are used, nor inform the users that they could refuse these cookies.
Therefore, in addition to the fine, the regulator also adopted an injunction under penalty so that the companies inform people in accordance with article 82 of the Data Protection Act within 3 months of from the notification of the decision. Otherwise, the company will be exposed to the payment of a fine of 100,000 euros per day of delay.
To comply, read the CNIL’s guidelines on Cookies (Full version in French).
The main principles confirmed by the French regulator are as follows:
Disclaimer: the views expressed on this page are personal. The information provided here does not, and is not intended to, constitute legal advice; instead, all examples, media, content, and materials available on this page are for general informational, and compliance guidance illustrative purposes only. Readers are advised to contact an attorney in the relevant jurisdiction to obtain advice with respect to any particular legal matter or legal development shared here.