On 7 December 2020, the CNIL (the French data protection authority) imposed substantial fines on both Google and Amazon in relation to alleged breaches of French data protection laws. The CNIL fined Google LLC and Google Ireland Limited (“Google”) €60 million and €40 million respectively, whilst Amazon Europe Core received a fine of €35 million. These fines were for alleged violations of cookie notice and consent requirements, and represent the largest fines ever imposed by the CNIL.

CNIL findings

Amazon was alleged to have committed two breaches under Article 82 of the French Data Protection Act. This included:

  1. depositing cookies without obtaining prior consent of the user; and
  2. a lack of information provided to the users of Amazon’s website about the use of cookies.

Amazon set cookies on users' devices once the user had entered the site without requiring any action from them (i.e. consent to their use). As such, they placed advertising cookies on the computer of the user before obtaining their consent. Additionally, there was a lack of information on the website explaining to the user what cookies were being used and why. In particular, it was not made clear to users that the cookies were mainly for the purposes of displaying personalised advertisements, and that they could opt out of such cookies at any time.

Google was fined for similar breaches to Amazon. It was found that the company automatically placed cookies on users’ devices for advertising purposes without their consent, and there was a lack of readily accessible information for users to make an informed decision of such consent and/or use of cookies by Google. In Amazon’s case, there was a banner which advised that by using the website, the user agreed to the use of the cookies and included a button to read more. However, Google’s banner was much more vague. It was not stated anywhere in the notice that the main purpose of the cookies was for personalised advertising and there was no mention of the option to refuse them and/or opt out.

Google was also fined for a third breach in relation to their opt-out mechanism. Not only did they fail to display the possibility to opt out in their cookie consent banner, it was also discovered that some of the cookies continued to operate despite the user opting out.

What can we learn from these fines?

While these fines were from France, it is likely that these actions would contravene data protection laws in other Member States of the EU and the UK. As such, organisations need to be careful when applying cookie notices and ensure that they receive valid consent to use cookies and have displayed sufficient information about the use of cookies for the user to make an informed decision about their placement.

Firstly, in gaining valid consent, there should be an active step taken on the part of the user to allow them to give consent. This usually takes the form of a tick-box or a button to click allowing users to consent to the use of cookies.

Second, in informing users, organisations should ensure that any banners providing information on cookie use should include key information such as what the cookies will be used for and the ability for users to opt out. This information should be made as clear as possible without users having to search for it (e.g. by clicking on a link).

How can we help?

For further information on cookie notices and gaining consent from users to place cookies, please get in touch with our specialist GDPR & Cyber Security team.