France’s Data Protection Authority Imposes Record Sanctions for ePrivacy Directive Violations Related to Cookie Compliance

On December 10, 2020, France’s Data Protection Authority (CNIL) sanctioned Google LLC and Google Ireland Limited for a total of 100 million euros for having deposited advertising cookies on the computers of the users of the google.fr search engine without prior consent or satisfactory disclosure, in violation of the ePrivacy Directive and France’s Data Protection Act.

In addition, the CNIL sanctioned Amazon Europe Core 35 million euros for placing advertising cookies on the users’ computers from the amazon.fr site without prior consent and satisfactory disclosure.

Google’s Cookies Violations

The CNIL noted the following breaches by Google:

• When the users went to the google.fr page, several advertising cookies were automatically placed on their computer without any action on their part. Under the Data Protection Act, this type of cookies cannot be deposited without the user’s expressed consent.
• The information provided by Google on its cookie banner did not clearly inform the users that the advertising cookies were being placed on their computers; did not disclose the purpose of the cookies; and did not provide the means for objecting to these cookies.
• When the users deactivated the personalization of ads on Google search using the mechanism made available to them from the cookie banner, one of the advertising cookies remained stored on their computer and continued to read information intended for the server to which it is attached.

According to the CNIL, since an update in September 2020, Google stopped automatically depositing advertising cookies as soon as the user arrives on the google.fr page.  However, the new banner implemented by the company still did not allow users residing in France to understand the purposes for which cookies are used and how to reject them.  Thus, in addition to the administrative fines, the CNIL required Google to provide the necessary disclosures within 3 months or face a payment of a fine of 100,000 euros per day.

In setting the amount of the Google fine, the CNIL considered the seriousness of the company’s triple breach of the Data Protection Act, the reach of the Google search engine in France and the fact that its practices have affected nearly fifty million users, as well as the considerable profits that Google derives from advertising revenues indirectly generated from the data collected by the advertising cookies.

Amazon’s Cookies Violations

The CNIL noted the following breaches by Amazon:

• When Internet users went to one of the pages of the amazon.fr site, a large number of advertising cookies which were not essential to the service were instantly placed on their computers without their express consent.
• The cookie banner displayed on the website stated that “By using this site, you accept our use of cookies to provide and improve our services. Find out more.” The CNIL found that the corresponding disclosures contained only a general and approximate description of the purposes of all the placed cookies.  In particular, upon reading this banner, the user was not able to understand that the cookies placed on his computer had the main objective of showing him personalized advertisements.  The banner also did not indicate to the user either that he has the right to refuse these cookies and the means of such refusal.
• When users went to the amazon.fr site after clicking on an ad published on another website, the same advertising cookies were placed without any disclosure provided to the users. In the CNIL’s view, this practice particularly infringed on the rights of the Internet users.

The CNIL noted that amazon.fr site no longer placed cookies without the users’ consent. However, the new cookie banner still did not allow Internet users residing in France to understand that cookies were mainly used to display personalized advertisement and the users were not clearly informed of the possibility of refusing the cookies.  Thus, similarly to Google, the CNIL ordered Amazon to provide the required disclosures within 3 months or face daily fines.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.