On 7 December 2020 the French data protection regulator (CNIL), acting as Christmas Grinch for two of the major tech giants, issued  Google LLC and Google Ireland Limited a total of fine of €100 million and Amazon Europe Core a fine of €35 million - in both cases for dropping tracking cookies without consent.

Why were they fined?

Both of these fines followed investigations carried out by the CNIL into the respective web pages.

In the case of Google, the CNIL found three violations under the Article 82 of the French Data Protection Act:

  • Advertising cookies were being automatically dropped on a user’s device when they accessed google.fr, without any action from the user (including without obtaining the user’s consent).
  • Users were provided with inadequate information about the cookies dropped on their devices when they accessed google.fr. The cookie banner stated "Google Privacy Policy Reminder," in front of which were two buttons entitled "Remind Me Later" and "Access Now." Therefore, users were not clearly informed of a) the cookies being dropped on their device b) the purposes of the cookies and c) the available means of refusing them.
  • An advertising cookie was still being dropped, despite a user opting out cookies via the deactivation of the ad personalisation on Google search.

For Amazon, the fine was for very similar reasons:

  • A large number of advertising cookies were being automatically dropped onto a user’s device without their consent.
  • Again, users were not provided with adequate information about the cookies dropped on their devices when they accessed amazon.fr. The cookie banner read “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.” It was found by the CNIL that this only contained general and approximate information about the purposes of the cookies being dropped, and users would not be aware that they were mainly being used for personalised ads. Users were also not told they could refuse cookies and how to do so.

The CNIL released on 1st October 2020 its amended guidelines and recommendations regarding the use of cookies and other tracking devices – but it made clear in both decisions that the fines were made in relation to prior existing obligations both companies had under the GDPR.

What are the implications of the fines?

  • Both decisions are a clear reminder of the current law around cookies; a) opt in consent is required for all non-essential cookies; and b) Cookies banners need to clearly set out what types of cookies a company is using and for what purposes (it is not enough to rely on the cookie notice alone) and individuals need to have an easy way to ‘accept’ and ‘reject’ cookies. A lot of our clients are already aware of the importance of complying with these requirements and are no longer taking the risk-based approach of relying on implied consent for cookies (you’ve seen all the pop ups).
  • This is a stark reminder that consent management platforms (CMPs) must actually work and the regulators are taking failure to properly implement CMPs very seriously. Companies need to ensure that whatever CMP is being used (whether inhouse or by an external third party) has a fully effective opt-out mechanism to allow users to refuse cookies.
  • This is also a reminder that at the moment the ‘one stop shop’ mechanism under the GDPR does not apply under the EU ePrivacy Directive, so organisations cannot rely on the (perhaps more) relaxed approach of local regulators in relation to cookie compliance. The application of the ‘one stop shop’ mechanism may change once the new ePrivacy Regulation comes into force.
  • Finally, there are serious sums involved for getting it wrong. Organisations need to act now and ensure compliant cookie mechanisms are implemented and working!