The French privacy watchdog, Commission Nationale de l'Informatique et des Libertés (CNIL), issued financial penalties to Google and Amazon for cookie consent violations. The sanctions were imposed on December 7, 2020, and made public on 10 December, 2020.
Google has to pay €100 million (~$122 million) and Amazon €35 million (~$42.8 million). Google's fine makes it the highest ever in France for this type of violation. It is not the first time that the CNIL has fined Google. Back in 2019, the company came under fire for violating transparency requirements. The CNIL imposed a fine of around €50 million (~$61 million) following the complaint filed under the General Data Protection Regulation (GDPR).
Google’s cookie consent violations
The CNIL investigated google.fr in March 2020 and discovered that the site had made three violations:
- Use of non-essential cookies without consent
CNIL found that Google French website, google.fr stores marketing cookies on users’ devices without their consent. It violates Article 82 of the FDPA since users' consent is mandatory before storing such cookies.
- Inadequate information about cookies
The cookie banner on the google.fr failed to provide any information about the non-essential cookies that it has stored on the users’ devices. The banner has two buttons - ‘Remind Me Later’ and 'Access Now’. The latter option did not explain that these cookies are automatically stored on the user device or the cookies’ purpose.
The lack of information about the cookies’ purpose prevented the French users from making an informed decision to accept cookies. They were also not aware if they could refuse the cookies.
- The partially defective opt-out mechanism
The CNIL’s investigation found that google.fr had a partially defective mechanism for opt-out. Even after the users deactivate personalized advertisements through the ‘Consult Now’ button, one of the advertisement cookies still remained on their devices. It continued to read user data.
Amazon’s cookie consent violations
Per CNIL’s investigation between December 2019 and May 2020, amazon.fr has made two violations:
- Use of advertising cookies without consent
Like google.fr, amazon.fr also automatically stores cookies associated with advertisements without obtaining prior consent from its users. It violates the consent requirements of the French Data Protection Act.
- Lack of information about cookies
The cookie banner on amazon.fr had a very general statement about using cookies on the website:
It does not explain the purpose of the cookies (that it already stores on the users’ devices), neither does it inform them that they could refuse to consent.
Sanctions imposed by CNIL
The CNIL committee imposed a fine of €60 million on Google LLC. It also imposed €40 million on Google Ireland for being jointly responsible. Amazon was slapped with a fine of €35 million.
CNIL based the fine amounts for Google considering the seriousness of the breach. Around 50 million french users were affected by this violation. The company indirectly had financial gain from the data collected by the marketing cookies.
For Amazon also, the CNIL determined the fine amount based on the seriousness of the violation. Regardless of where the traffic came from (organic or via advertisements), the automatic storing of cookies plus the inadequate information affected millions of people in France who use the website.
The CNIL notes that following their investigations, both companies have stopped the automatic storing of cookies since September 2020. However, the new cookie banners on the sites still do not inform the users of the purpose of the cookies and that they can refuse them.
Therefore, the committee ordered the tech giants to inform their users within three months (after the ruling). Otherwise, they have to pay a fine of 100,000 euros per day of delay beyond it.
The cookie consent requirements come under the ePrivacy Directive (the EU Cookie Law). Therefore, the CNIL notes that the GDPR’s one-stop-shop mechanism does not apply here. The regulator maintains that it has legal competence to investigate the matter.
Cookie consent violation: the lesson learned
CNIL’s sanction for the tech giants is a great lesson for every webmaster to follow the law. There can be no two ways about it.
CookieYes is a useful application to add a cookie consent banner to your website to comply with the GDPR and ePrivacy Directive.
It automatically blocks third-party cookie scripts before you ask for user consent. You can also customize the banner to add the necessary information about cookies.