Tough Cookie: French CNIL Hits Google and Amazon with a Total of €135 million in Fines
On December 7, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”), fined first Google LLC and Google Ireland Ltd €100 million, and then Amazon Europe Core €35 million for violations of the French Data Protection Act (“French DPA”). Google and Amazon were sanctioned for placing advertising cookies on users’ computers without obtaining their prior consent or providing adequate information.
These hefty fines came together with an injunction to comply with the French DPA provisions on cookies within three months, subject to a late payment penalty of €100,000 per day.
Businesses operating in France should take these new blockbuster fines as another reminder of the importance of data protection frameworks and policies.
Background. In 2019 and 2020, the CNIL’s inspectors performed online checks of google.fr and amazon.fr websites. For both websites, they found that cookies were immediately and automatically placed onto the users’ devices, without their prior consent or prior information, and that a great number of these cookies were used for advertising purposes.
CNIL’s Jurisdiction. In its decisions, the CNIL ruled that the GDPR “one-stop shop” mechanism does not apply here, since the companies’ use of cookies rather fell under the French implementation of the EU ePrivacy Directive of July 12, 2002. The CNIL thus asserted its jurisdiction on the grounds that cookies had been placed on devices of users living in France, and because the cookies operations had been carried out by the France-based branches of Google and Amazon to promote their products and services.
Violations of French Cookies Rules. The CNIL ruled that, under the EU ePrivacy Directive and Article 82 of the French DPA, users must be provided with clear and comprehensive information about the purpose of placing and reading cookies, and about the means by which they can refuse such cookies. On that basis, the CNIL found the following violations of the French DPA:
- Lack of consent. The CNIL decided that both Google and Amazon placed advertising cookies on website users’ devices without their prior consent.
- Insufficient information. The CNIL decided that Google and Amazon both failed to provide users of their websites with adequate information on their cookie policies.
On Google’s website, the information banner presented the user with two options—“Remind me later” and “Consult now”—but provided no information on the cookie policy or the available means to refuse them. Further, after clicking “Consult now”, the website provided unclear and insufficient information on cookies.
On Amazon’s website, the information banner advised that “By using this site, you accept our usage of cookies in order to offer and improve our services.” The additional language “To know more” guided to a general and only approximate description of the cookies’ purposes. In particular, it did not inform users about personalized advertising cookies being placed on their devices or about the possibility to refuse cookies. The CNIL added that the breach was made stronger when users accessed amazon.fr after clicking on an advertising link on another website. In this case, the user was not provided with any information.
- Insufficient “opposition” mechanism. The CNIL also found that even after deactivating personalized advertisement in the Google search engine through the “Consult now” button, one of the advertising cookies remained active and continued to read information and send it to the server it was connected to. The CNIL therefore decided that Google failed to put in place a sufficient “opposition” mechanism.
As we reported here, the CNIL recently published guidelines and recommendations to help businesses establish good practices for their use of cookies and similar technologies in France. Interestingly, although not applicable here, the CNIL noted in its decisions that these new guidelines and recommendations provide useful information to data controllers by advising them on the implementation of concrete measures to guarantee compliance with the DPA provisions on cookies.
New Record-Setting Penalties. The CNIL eventually imposed a €100 million fine on Google and a €35 million fine on Amazon, explaining that these amounts were justified by the seriousness of the breaches, the large number of affected users, and the large benefits they derived through advertising and cookies. These decisions are not yet final and may still be appealed before the Conseil d’Etat, the French top court for administrative matters.
These new fines indicate that the CNIL continues to take its enforcement actions very seriously, even in the absence of a data breach. In 2019, it had already hit Google with a €50 million fine for breaches of the GDPR (see our previous update). This fine was upheld on appeal in June 2020 (see our comments on the decision).
To subscribe to the Data Blog, please click here.
