Google and Amazon, fined by CNIL of France, for placing cookies on users’ computers without getting prior consent or giving satisfactory information.
Google was found to have three violations of Article 82 of the DPA, while Amazon had two of those three.
Both websites, upon investigation, were found to have been placing cookies on users’ computers automatically, without any action required on their part, or prior consent required from the users. These cookies were deemed non-essential to the use of their service and should only be placed once the user has expressed their consent. This practice violates Article 82, of the DPA and fails to comply with the requirement of obtaining prior consent before placing cookies on users’ computers.
While both google.fr and amazon.fr issued brief statements via a banner pop-up to the bottom of their screens, informing visitors of either the company’s confidentiality agreement (in the case of Google), or the users acceptance of cookies by their use of the website (in the case of Amazon), both of these banners were found to have inadequately informed users, resulting in further breaches to Article 82. In Google’s case, this banner did not inform users at all, on the cookies which had already been automatically placed on their computers. The “Consult now” button which was placed on the banner at google.fr also did not lead users to any information on those cookies.
On amazon.fr, while the banner informed users of their automatic acceptance of cookies by using the site, this information was found to be neither clear nor complete. The banner did not specify that cookies placed on users’ computers were mainly used to display personalized ads. It also failed to explain to the user that it could refuse these cookies or how to do it.
In addition, on google.fr, even after using the mechanism provided through the “Consult now” button, to deactivate the personalisation of ads, one of the advertising cookies remained stored on the user’s computer and continued to read information intended for the attached server. The “opposition” mechanism on google’s website was deemed faulty and resulted in an additional violation of the DPA, Article 82.
Google and Amazon fined a total of 100 million euros and 35 million euros respectively.
GOOGLE LLC was hit with a fine of 60 million euros, and GOOGLE IRELAND LIMITED was fined 40 million euros. The authority justified these fines, and their decision to make them public, by the seriousness of Google’s triple breach of Article 82, the search engine’s reach and the fact that nearly fifty million users were affected by this breach. The advertising revenues generated by companies like Google are indirectly generated from the data collected by the advertising cookies placed on users’ computers. Since a September 2020 update on google.fr, cookies are no longer automatically placed on users’ computers, however the information banner still did not inform users residing in France of the purposes for which cookies are used, nor does it inform them that they could refuse these cookies. In addition to the fine charged to GOOGLE LLC and GOOGLE IRELAND LIMITED, an injunction was also placed under the penalty, threatening a 100,000 euro per day fine, if after three months, companies were still not adequately informing users, in accordance with DPA article 82.
AMAZON EUROPE CORE was fined 35 million euros, and the fines were also publicized due to the seriousness of the breaches. It was considered that, given the popularity of the website amazon.fr, millions of France’s residents visited this site daily, having cookies placed on their computers. In addition, the main activity of the company is the sale of consumer goods, therefore the personalized ads, made possible by the use of those cookies, lead to a significant increase in the visibility of its products on other websites. It was also taken into account that, until the restructure of the website amazon.fr in September 2020, the company was continuously placing cookies on the computers of users living in France, without informing them. Regardless of the path that led users to the site, they were either insufficiently, or not at all informed that cookies were being placed on their computers. Amazon is also faced with the threat of an additional 100,000 euro per day fine, if they are not in accordance with the act within three months.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.