French Regulator Imposes Record-Breaking Fines on Google and Amazon for Unlawful Use of Cookies

The French data protection authority (the "CNIL") on 7 December 2020 imposed historic sanctions against leading two web companies: a €35 million fine on Amazon Europe Core, and a €100 million fine on Google LLC and Google Ireland Limited.

Both European and French law require the collection of the users’ consent before placing cookies that are not essential to the service. Between December 2019 and May 2020, the CNIL carried out online checks of the amazon.fr and google.fr websites and found that advertising cookies were automatically deposited on users' computers when users visited the French websites of Google and Amazon.

In addition, users were not informed in a "clear and complete" manner about the automatic use of advertising cookies, nor were they given the opportunity to opt out:

• By way of illustration, the cookie banner on the amazon.fr website disclosed that “By using that website, you accept the use of cookies to offer and improve our services. Learn more.” This disclosure was found to only give a general, approximate description of the purpose of the cookies. The users were therefore not in a position to understand that the cookies were mainly intended to display personalized advertising and that they could be disabled.
• The google.fr website banner similarly did not give users any information relating to cookies that had been placed on their computers as soon as the users landed on the website. In addition, the opposition mechanism (i.e., the mechanism allowing users to reject or disable cookies) was ineffective, as one of the advertising cookies remained stored on the users’ computer even after the ad personalization was deactivated in the Edit Ads Settings button.

In reaching its decisions, the CNIL had to first determine that it had the authority to impose remedial measures and sanctions regardless of the GDPR¹ cooperation mechanism (i.e., the one-stop-shop mechanism, according to which companies carrying out cross-border personal data processing activities will only have to deal with one data protection authority – the one where their main EU establishment is located), because the French cookie-related rules are not based on the GDPR, but on the ePrivacy directive,² transposed into French law under Article 82 of the French Data Protection Act.

The CNIL also held itself territorially competent in application of the French Data Protection Act because the cookies were used in relation to the activities of the French company of Google and Amazon (i.e., Google France and Amazon France established in France). The French regulator could therefore control and issue fines for the cookies deposited on computers of French residents.

In order to justify the amounts of the fines, the CNIL recalled the provisions of article 20 of the French Data Protection Act (French DPA), which is the transposition of the article 83 of the GDPR. Under article 20 of the French DPA, the CNIL can impose a financial penalty up to 2% of a company’s total annual worldwide turnover for a violation, taking into account the general conditions for imposing administrative fines set out in the GDPR. While the fines and the number of users affected are substantial,³ the penalties remain far below the 2% global turnover threshold, the total turnover considered being as high as €38 billion in 2018 for Google Ireland Limited, $160 billion in 2019 for Google LLC and €7.7 billion in 2019 for Amazon Europe Core.

Still, these decisions are a strong incentive for all companies to review their cookie policies. Particular consideration should be given to the alignment of cookie policies with the CNIL’s recommendations and guidelines published on October 1, 2020, recalling the following main principles:

• Advertising cookies require the prior consent of users.
• Information provided to users must be clear and complete.
• Users must always be able to withdraw their consent.

Read the French version of this article 

Footnotes

¹ EU Regulation 2016/679

² European « ePrivacy » Directive (2009/136/EC)

³ To determine the amount of the fine issued against Google on 21 January 2019, the CNIL already took into account Google's leading position on the French market, which provides the company with access to huge amounts of personal data. For further information, see: https://www.dechert.com/knowledge/onpoint/2019/2/french-regulator-imposes-the-highest-gdpr-fine-to-date-on-google.html