French Watchdog CNIL Fines Google, Amazon for Cookie Violations

On December 10, 2020, the French data protection authority (CNIL) announced that it had issued two fines totaling €100 million against Google LLC and Google Ireland Limited for cookie violations.

Overview of Google’s Violations

On March 16, 2020, the CNIL completed an audit of google.fr which revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.

Specifically, CNIL highlighted three violations of Article 82 of the Act No.78-17 on January 6, 1978 on Information Technology, Data Files and Civil Liberties (as amended to implement the General Data Protection Regulation (GDPR).  

• First, CNIL noted that cookies for marketing purposes, which are non-essential for the provision of Google’s services, were automatically placed on the users’ equipment without their prior consent.
• Second, CNIL found that the information banner was accompanied by two buttons to “Remind me later” and “Access now,” which does not provide the user with any information in relation to the automatic placement of cookies on the users’ equipment.
• Third, CNIL indicated that the opt-out mechanism was partially defective, considering that, when a user deactivated personalised ads through the “Consult now” button, one of the advertisement cookies remained on their computer and as such continued to read their information.

Fines Resulting from the Audit

As a result, CNIL fined €60 million against Google LLC and €40 million against Google Ireland Limited, Google’s European headquarters, which CNIL found to be jointly responsible in determining the purposes and uses of cookies.  

Factors that helped determine the fine included the severity of committing three violations of the Act, the impact on 50 million users of Google Search, the financial gain indirectly generated by the collection of personal data through advertising cookies, and the fact that, since an update from September 2020, advertising cookies are no longer automatically placed on user equipment from arrival to google.fr.

Finally, CNIL added that, as the six month transition period for its guidelines and recommendations on the use of cookies and other trackers has not yet expired, the deliberation does not pertain to non-compliance with these.

CNIL has also announced a fine of €35 million against Amazon Europe Core Sarl for cookie violations.

For more information, here’s the press release and the deliberation, only available in French, here.