Data Privacy: France fines Google $120M and Amazon $42M for dropping cookies without consent

Advertisers take note! Google has been slapped with a €100 million fine ($120M) for dropping cookies on Google.fr and Amazon €35M ($42M) for doing so on Amazon.fr under the enforcement notices issued today.

The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés) (CNIL) carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.

Interesting to note that in these two cases, the CNIL was found to be materially competent  to control and sanction cookies placed by companies on the computers of users residing in France. The cooperation mechanism provided for by the GDPR (“one- stop-shop” mechanism  ) would not apply in this case given that the one-stop-shop mechanism only concerns cross-border processing as defined in  article 4.23 of the GDPR.

The operations linked to the use of cookies in these two cases fell under the “ ePrivacy ” directive transposed to article 82 of the Data Protection Act.

Let’s take a closer look at the two cases:

Amazon:

Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, on the amazon.fr website. These verifications revealed:

• when an internet user visited this site, a large amount of cookies (with an advertising objective) were automatically placed on his computer, without any action on his part.
• when an Internet user who went to the amazon.fr site, the information provided was neither clear nor complete.
• the information banner displayed by the company, in this case “By using this site, you accept our use of cookies to provide and improve our services. Find out more ”, contained only a general and approximate description of the purposes of all the cookies placed.
• when internet users who went to the Amazon.fr site after having clicked on an ad published on another website, the same cookies were placed without any information delivered to Internet users.

 The French regulator found that this type of cookies, not essential to the service, can only be placed after the Internet user has expressed their consent. Placing cookies upon arrival on the site is a practice which, by nature, is incompatible with prior consent.

The regulator also found that until the redesign of the amazon.fr site, in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the required information in accordance with article 82 of the Data Protection Act. The instantaneous deposit of cookies, combined with the absence of any information, particularly infringed the rights of Internet users.

As a result AMAZON EUROPE CORE was fined 35 million euros, taking in consideration that Amazon made recent changes made to the amazon.fr site and no more cookies are now placed on the site before the user has given his consent.  However the new information banner deployed still does not allow Internet users residing in France to understand that cookies are mainly used to display personalized advertising to them and they are still not clearly informed of their possibility to refuse these cookies.

Therefore, in addition to the fine, the regulator also adopted an injunction under penalty so that the company informs people in accordance with article 82 of the Data Protection Act within 3 months of from the notification of the decision. Otherwise, the company will be exposed to the payment of a fine of 100,000 euros per day of delay.

Google:

On March 16, 2020, the CIL carried out an online check on the google.fr website which revealed:

• Just like Amazon, when an internet user went to this site, cookies were automatically placed on his computer, without action on his part. Several of these cookies served an advertising objective.
• When a user went to the google.fr page, an information banner was displayed at the foot of the page, bearing the following words “Reminder concerning Google’s confidentiality rules  “ in front of which appeared two buttons entitled “Me call back later ”and“ Consult now ”. This banner did not provide the user with any information relating to cookies which had already been placed on his computer, as soon as he arrived on the site. This information was also not provided to him when he clicked on the “Consult now” button .
• When a user deactivated the personalization of ads on Google search using the mechanism made available to him from the “Consult now” button, one of the advertising cookies remained stored on his computer and continued to read information intended for the server to which it is attached.

As this type of cookies cannot be deposited without the user having expressed his consent, the regulator considered that two Google companies operating the site GOOGLE LLC and GOOGLE IRELAND LIMITED had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies.

Note: Although GOOGLE LLC, established in California, develops the Google Search search engine GOOGLE IRELAND LIMITED, headquartered in Ireland, presents itself as the European headquarters of the Google group. GOOGLE FRANCE is the establishment in France of GOOGLE LLC

The French regulator found that the information provided by the Google companies did not allow users residing in France to be previously and clearly informed about the deposit of cookies on their computer nor, consequently, of the objectives of these cookies and the means made available to them as to the possibility of refusing them. The regulator therefore considered that the “opposition” mechanism put in place by the companies was partially faulty, in violation of article 82 of the Data Protection Act.

GOOGLE LLC was fined 60 million euros and GOOGLE IRELAND LIMITED 40 million euros.

The amount of the fines was justified by the seriousness of the breach, the reach of the Google Search search engine in France and the fact that the Google corporate practices have affected nearly fifty million users. Finally, the regulator noted the considerable profits that companies derive from advertising revenues indirectly generated from the data collected by these advertising cookies.

Just like with Amazon, the regulator noted that, since an update of September 2020, Google stopped automatically depositing advertising cookies as soon as the user arrived on the google.fr page.

However the new information banner implemented by Google on the google.fr page still does not allow users residing in France to understand the purposes for which cookies are used, nor inform the users that they could refuse these cookies.

Therefore, in addition to the fine, the regulator also adopted an injunction under penalty so that the companies inform people in accordance with article 82 of the Data Protection Act within 3 months of from the notification of the decision. Otherwise, the company will be exposed to the payment of a fine of 100,000 euros per day of delay.

Compliance

To comply, read the CNIL’s guidelines on Cookies (Full version in French). 

The main principles confirmed by the French regulator are as follows:

• Regarding user consent:
  • the mere pursuit of navigation on a site can no longer be considered as a valid expression of the user’s consent;
  • people must consent to the deposit of tracers by a clear positive act (such as clicking on “I accept” in a cookie banner). If they do not do so, no tracker that is not essential to the operation of the service can be placed on their device.
• Users should be able to withdraw their consent easily and at any time.
• Refusing tracers should be as easy as accepting them.
• Information about people: 
  • they must be clearly informed of the purposes of the tracers before consenting, as well as the consequences attached to an acceptance or rejection of tracers;
  • they must also be informed of the identity of all actors using tracers subject to consent.
• The organizations operating tracers must be able to provide, at any time, proof of the valid collection of the free, informed, specific and unequivocal consent of the user.

_{Disclaimer: the views expressed on this page are personal. The information provided here does not, and is not intended to, constitute legal advice; instead, all examples, media, content, and materials available on this page are for general informational, and compliance guidance illustrative purposes only. Readers are advised to contact an attorney in the relevant jurisdiction to obtain advice with respect to any particular legal matter or legal development shared here.}