Tough Cookie: French CNIL Hits Google and Amazon with a Total of €135 million in Fines
On December 7, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”), fined first Google LLC and Google Ireland Ltd €100 million, and then Amazon Europe Core €35 million for violations of the French Data Protection Act (“French DPA”). Google and Amazon were sanctioned for placing advertising cookies on users’ computers without obtaining their prior consent or providing adequate information.
These hefty fines came together with an injunction to comply with the French DPA provisions on cookies within three months, subject to a late payment penalty of €100,000 per day.
Businesses operating in France should take these new blockbuster fines as another reminder of the importance of data protection frameworks and policies.
Background. In 2019 and 2020, the CNIL’s inspectors performed online checks of google.fr and amazon.fr websites. For both websites, they found that cookies were immediately and automatically placed onto the users’ devices, without their prior consent or prior information, and that a great number of these cookies were used for advertising purposes.
Violations of French Cookies Rules. The CNIL ruled that, under the EU ePrivacy Directive and Article 82 of the French DPA, users must be provided with clear and comprehensive information about the purpose of placing and reading cookies, and about the means by which they can refuse such cookies. On that basis, the CNIL found the following violations of the French DPA:
- Lack of consent. The CNIL decided that both Google and Amazon placed advertising cookies on website users’ devices without their prior consent.
- Insufficient information. The CNIL decided that Google and Amazon both failed to provide users of their websites with adequate information on their cookie policies.
- Insufficient “opposition” mechanism. The CNIL also found that even after deactivating personalized advertisement in the Google search engine through the “Consult now” button, one of the advertising cookies remained active and continued to read information and send it to the server it was connected to. The CNIL therefore decided that Google failed to put in place a sufficient “opposition” mechanism.
New Record-Setting Penalties. The CNIL eventually imposed a €100 million fine on Google and a €35 million fine on Amazon, explaining that these amounts were justified by the seriousness of the breaches, the large number of affected users, and the large benefits they derived through advertising and cookies. These decisions are not yet final and may still be appealed before the Conseil d’Etat, the French top court for administrative matters.
These new fines indicate that the CNIL continues to take its enforcement actions very seriously, even in the absence of a data breach. In 2019, it had already hit Google with a €50 million fine for breaches of the GDPR (see our previous update). This fine was upheld on appeal in June 2020 (see our comments on the decision).
To subscribe to the Data Blog, please click here.