For any organisations who are complacent about strict cookie compliance, yesterday’s announcement by the French data regulator (the CNIL) that it has fined Google and Amazon a total of 135 million euros for placing advertising cookies on user devices without obtaining prior consent or providing adequate information, is a timely reminder of the importance of following the rules around cookie use.
Google, who received a 100 million euro fine, were found to have breached the French Data Protection Act (which, amongst other things, implements the cookie provisions from the EU ePrivacy Directive into French law) in three instances:
- consent must be obtained prior to placing a non-essential cookie on a user’s device, but when users visited the google.fr site, several advertising cookies were automatically placed on their computer or other device;
- insufficient information was given. A banner displayed at the bottom of the page with the note “Privacy reminder from Google” and two buttons (“Remind me later” and “Access now”) did not "previously and clearly" inform users living in France about the placement of cookies on their devices (and consequently they were also not informed of the purposes of these cookies); and
- an "opposition mechanism" (which enabled a user to deactivate ad personalisation on the Google search) was partially defective, as one of the advertising cookies remained on the user’s device, reading information.
The 100 million financial penalty was split between US based Google LLC (60 million euros) and Google Ireland (40 million euros), and is not Google’s first fine from the CNIL.
Amazon Europe Core were fined 35 million euros. Like Google, they:
- automatically placed non-essential advertising cookies on the devices of those who visited their site (amazon.fr). The CNIL confirmed that depositing cookies at the same time as a user arrived on the site was a practice that, by its nature, was incompatible with the rules around obtaining prior consent; and
These fines are large, reflecting in part the CNIL’s view that the breaches were severe and that both organisations have a high number of French users and receive significant benefits from advertising. Their extra-territorial reach is also of interest to organisations based outside France. In the UK, the ICO has yet to focus its regulatory action on cookies in the same way it has done with (for example) direct marketing, and fines under the UK’s ePrivacy rules are currently limited to £500,000. However, the CNIL fines follow a number of cookie related actions across the EU, and are a useful reminder for all organisations across both the UK and EU that cookie sanctions are real and can be significant. Now is therefore the perfect time to re-assess your organisation’s cookie compliance.
For more information on the cookie rules in the UK, please see our article New Cookie Guidance: Time to act.