For any organisations who are complacent about strict cookie compliance, yesterday’s announcement by the French data regulator (the CNIL) that it has fined Google and Amazon a total of 135 million euros for placing advertising cookies on user devices without obtaining prior consent or providing adequate information, is a timely reminder of the importance of following the rules around cookie use.

Google 

Google, who received a 100 million euro fine, were found to have breached the French Data Protection Act (which, amongst other things, implements the cookie provisions from the EU ePrivacy Directive into French law) in three instances:

- consent must be obtained prior to placing a non-essential cookie on a user’s device, but when users visited the google.fr site, several advertising cookies were automatically placed on their computer or other device;

- insufficient information was given. A banner displayed at the bottom of the page with the note “Privacy reminder from Google” and two buttons (“Remind me later” and “Access now”) did not "previously and clearly" inform users living in France about the placement of cookies on their devices (and consequently they were also not informed of the purposes of these cookies); and

- an "opposition mechanism" (which enabled a user to deactivate ad personalisation on the Google search) was partially defective, as one of the advertising cookies remained on the user’s device, reading information.

The 100 million financial penalty was split between US based Google LLC (60 million euros) and Google Ireland (40 million euros), and is not Google’s first fine from the CNIL.

Amazon

Amazon Europe Core were fined 35 million euros. Like Google, they:

- automatically placed non-essential advertising cookies on the devices of those who visited their site (amazon.fr). The CNIL confirmed that depositing cookies at the same time as a user arrived on the site was a practice that, by its nature, was incompatible with the rules around obtaining prior consent; and

- provided insufficient information. The CNIL commented that the information given was not clear or complete. The information banner, which stated that “By using this website, you accept our use of cookies allowing to offer and improve our services. Read more” did not provide sufficient information about the purpose of those cookies. It gave only general and approximate information about their purpose and did not make it clear that they were mainly used to display personalised ads. It also failed to explain that users could refuse these cookies and how they could do this. Even less information was provided when a user accessed the amazon site via an advert from another site.

Comment

These fines are large, reflecting in part the CNIL’s view that the breaches were severe and that both organisations have a high number of French users and receive significant benefits from advertising. Their extra-territorial reach is also of interest to organisations based outside France. In the UK, the ICO has yet to focus its regulatory action on cookies in the same way it has done with (for example) direct marketing, and fines under the UK’s ePrivacy rules are currently limited to £500,000. However, the CNIL fines follow a number of cookie related actions across the EU, and are a useful reminder for all organisations across both the UK and EU that cookie sanctions are real and can be significant. Now is therefore the perfect time to re-assess your organisation’s cookie compliance.

For more information on the cookie rules in the UK, please see our article New Cookie Guidance: Time to act.