FR – Cookies : The CNIL Issues Two Record Fines of €100M and €35M Against Google and Amazon

On December 7, 2020, the CNIL (the French data protetion authority) pronounced two record sanctions of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED (€60 and €40 million respectively), and €35 million against AMAZON EUROPE CORE for non-compliance with rules relating to cookies.

The CNIL reproaches them for having :

  • deposited advertising cookies without the prior consent of the users;

  • a lack or non-existence of complete information; and

  • for Google only, a partial failure of the means of opposition.

In both cases, the CNIL considered itself competent because, according to it, the mechanism of cooperation between data protection authorities, provided for in the RGPD does not apply to what falls under the cookie provisions of the e-privacy directive 2002/58/EC.

The Context

Following two audits carried out on December 12, 2019, and May 19, 2020, on the amazon.fr website and an audit carried out on the google.fr website on March 16, 2020, the CNIL found that cookies, some of which were for advertising purposes, were automatically dropped on users’ computers, without any action on their part.

The shortcomings identified by the CNIL

The CNIL has identified three violations of Article 82 of the French Data Protection Act (relating to cookies).

Failure to obtain the users’ prior consent

As mentioned above, Google and Amazon automatically dropped advertising cookies on the computers of users of their respective websites without any action on their part and therefore, without obtaining their prior consent.

Thus, the CNIL considered that the companies had not complied with the requirements under Article 82 of the French Data Protection Act to obtain prior consent before dropping cookies that are not essential to the service.

Failure to inform users beforehand

On the google.fr page, a footer information banner with the words “Reminder about Google’s privacy policy” and two buttons entitled “Remind me later” and “View now”, did not provide any cookie-related information.

This information was also not provided after clicking on the “View Now” button.

As far as Amazon is concerned, the CNIL noticed that, on the amazon.fr site, the information provided was neither clear nor complete. Indeed,  the information banner containing the following statement: “By using this site, you accept our use of cookies to offer and improve our services. Learn more”, was only a general and approximate description of the purposes of all cookies deposited.

According to the CNIL, the user was not able to understand that the cookies placed on his computer were intended to display personalized advertising and did not indicate to the user his right and means to refuse.

Furthermore, when the user visited the amazon.fr website after clicking on an advertisement published on a third party website, no prior information was provided.

The partial failure of the mechanism of “opposition”.

In the case of Google, if the user deactivated the personalization of ads on Google search, one of the advertising cookies would remain stored on his computer and would continue to read information to the server to which it is attached.

The CNIL, therefore, considered that the “opposition” mechanism was partially defective.

Two records sanctions pronounced by the CNIL

The CNIL fined GOOGLE LLC 60 million euros and GOOGLE IRELAND LIMITED 40 million euros, and Amazon Europe Core 35 million euros, i.e. 2% of its annual turnover.

Although Google and Amazon have since updated their cookie information and stopped automatically placing advertising cookies on user’s computers without their consent, their new information banner still does not allow users to understand the purposes for which cookies are used and still does not inform them that they can refuse cookies.

The CNIL has therefore also adopted an injunction under penalty of 100,000 euros per day of delay requesting Amazon and Google to bring their information notice in compliance with Article 82 of the French Data Protection Act within 3 months of the notification.

Competence of the CNIL 

Had the one-stop-shop mechanism of the GDPR been applied, the data protection authorities of Ireland and Luxembourg would have been competent respectively.

However, the CNIL recalled that it was materially and territorially competent to control and sanction cookies dropped by companies on the computers of users located in France insofar as these provisions are not covered by the GDPR but by the e-privacy directive 2002/58/EC.

With regard to the material competence and the non-application of the one-stop-shop provisions 

The decision indicates that the CNIL is competent as long as:

The operations concerned are carried out in the context of the provision of electronic communications services accessible to the public on public communications networks (i.e. internet) and that they exclusively concern read and write actions on the terminal of Internet users located in France when they visit the Amazon.fr site, operations that materialize by the deposit and reading of cookies. “

To do so, the CNIL relies in particular on recital 173 of the GDPR, which states that the GDPR does not apply to the specific provisions of the e-privacy directive.

Indeed, it considers that article 5 of the e-privacy directive is a special provision since it requires obtaining consent to the deposit of cookies without leaving the possibility of relying on other legal bases provided for in the GDPR. Moreover, Article 15a of the same directive, amended in 2009 by Directive 2009/136, provides for specific control mechanisms that are the responsibility of each Member State and not of the one-stop-shop mechanism.

Moreover, the competent supervisory authority for the regulation of cookies is not always an authority in charge of data protection in all Member States, which excludes, according to the CNIL, the possibility of applying the one-stop-shop procedure, which only applies to data protection authorities.

With regard to the territorial jurisdiction of the CNIL 

The CNIL applies Article 3 of the French Data Protection Act insofar as, in this case, Directive 2002/58/EC does not have any specific provisions in this respect and the provisions relating to the one-stop-shop are not applicable.

Thus, as the GDPR also provides, the CNIL is competent as soon as the operations are carried out within the framework of the activities of an establishment of these companies located in France (e.g. AMAZON ONLINE France SAS or Google France) even if the parent company is in practice the person responsible for implementing cookies (e.g. Amazon Europe Core and Google Ireland Limited jointly with Google LLC).

FR – Cookies : The CNIL Issues Two Record Fines of €100M and €35M Against Google and Amazon

This post is also available in fr_FR.

Tagged on: