Google and Amazon, fined by CNIL of France, for placing cookies on users’ computers without getting prior consent or giving satisfactory information.
The CNIL reported last week that both companies have been sanctioned, for their misuse of cookies which breached the French Data Protection Act. Following several investigations from December 12th 2019 to May 19th 2020 on amazon.fr and on March 16th 2020 on google.fr, the CNIL discovered that the websites of both of these companies violated Article 82 of the Data Protection Act.
Google was found to have three violations of Article 82 of the DPA, while Amazon had two of those three.
Both websites, upon investigation, were found to have been placing cookies on users’ computers automatically, without any action required on their part, or prior consent required from the users. These cookies were deemed non-essential to the use of their service and should only be placed once the user has expressed their consent. This practice violates Article 82, of the DPA and fails to comply with the requirement of obtaining prior consent before placing cookies on users’ computers.
While both google.fr and amazon.fr issued brief statements via a banner pop-up to the bottom of their screens, informing visitors of either the company’s confidentiality agreement (in the case of Google), or the users acceptance of cookies by their use of the website (in the case of Amazon), both of these banners were found to have inadequately informed users, resulting in further breaches to Article 82. In Google’s case, this banner did not inform users at all, on the cookies which had already been automatically placed on their computers. The “Consult now” button which was placed on the banner at google.fr also did not lead users to any information on those cookies.
On amazon.fr, while the banner informed users of their automatic acceptance of cookies by using the site, this information was found to be neither clear nor complete. The banner did not specify that cookies placed on users’ computers were mainly used to display personalized ads. It also failed to explain to the user that it could refuse these cookies or how to do it.
In addition, on google.fr, even after using the mechanism provided through the “Consult now” button, to deactivate the personalisation of ads, one of the advertising cookies remained stored on the user’s computer and continued to read information intended for the attached server. The “opposition” mechanism on google’s website was deemed faulty and resulted in an additional violation of the DPA, Article 82.
Google and Amazon fined a total of 100 million euros and 35 million euros respectively.
GOOGLE LLC was hit with a fine of 60 million euros, and GOOGLE IRELAND LIMITED was fined 40 million euros. The authority justified these fines, and their decision to make them public, by the seriousness of Google’s triple breach of Article 82, the search engine’s reach and the fact that nearly fifty million users were affected by this breach. The advertising revenues generated by companies like Google are indirectly generated from the data collected by the advertising cookies placed on users’ computers. Since a September 2020 update on google.fr, cookies are no longer automatically placed on users’ computers, however the information banner still did not inform users residing in France of the purposes for which cookies are used, nor does it inform them that they could refuse these cookies. In addition to the fine charged to GOOGLE LLC and GOOGLE IRELAND LIMITED, an injunction was also placed under the penalty, threatening a 100,000 euro per day fine, if after three months, companies were still not adequately informing users, in accordance with DPA article 82.
AMAZON EUROPE CORE was fined 35 million euros, and the fines were also publicized due to the seriousness of the breaches. It was considered that, given the popularity of the website amazon.fr, millions of France’s residents visited this site daily, having cookies placed on their computers. In addition, the main activity of the company is the sale of consumer goods, therefore the personalized ads, made possible by the use of those cookies, lead to a significant increase in the visibility of its products on other websites. It was also taken into account that, until the restructure of the website amazon.fr in September 2020, the company was continuously placing cookies on the computers of users living in France, without informing them. Regardless of the path that led users to the site, they were either insufficiently, or not at all informed that cookies were being placed on their computers. Amazon is also faced with the threat of an additional 100,000 euro per day fine, if they are not in accordance with the act within three months.
CNIL has released amended guidelines and recommendations regarding the use of cookies, in accordance with the GDPR.
On October 1st 2020, the CNIL released its guidelines on the use of cookies and other tracking devices. These guidelines are part of its action plan on targeting advertising and the enforcement of the GDPR. CNIL is asking all parties to comply with the rules clarified therein, specifying that their adaptation period should not exceed six months. CNIL has also indicated that it will continuously monitor other requirements which have not been modified and, if necessary, adopt corrective measures to protect the privacy of individuals.
