Cookie catch-up: What you need to know about the CNIL’s Google and Shein fines (and other summer developments)

At the start of September, the French data protection authority (the CNIL) issued record breaking cookie penalties against Google (€325 million) and online fashion retailer Shein (€150 million). With the UK’s cookie penalties set to increase at the end of the year, and the UK Information Commissioner’s Office (ICO) continuing its enforcement focus on the area, cookie compliance is firmly on the syllabus for this new term. In this blog, we focus on the key points you need to know from the recent CNIL fines and other cookie developments over the summer. 

Background on the CNIL fines

The fines against Google (split between Google LLC and Google Ireland Limited), were triggered by complaints by campaign group NOYB and focused on:

• Google’s inclusion of advertising messages within users’ “promotions” and “social” areas of their Gmail inboxes, that looked similar to email messages, without having the necessary user consent.
• The cookie consent mechanism used during Google’s account sign-up process, with failings identified in connection with both banner design and information provided to users. 

The Shein fine, levied against the Irish subsidiary of the group (Infinite Styles Services Co. Limited), was triggered by a CNIL inspection of the “shein.com” website, with failings identified in the operation of the company’s website cookie banner and the information provided to users. Both fines focused on breaches of France’s domestic law, transposing the EU’s e-Privacy Directive, giving the CNIL jurisdiction to proceed with the actions outside of the General Data Protection Regulation’s one-stop-shop.

Key takeaways for organisations: 

Cookie banner information in the spotlight: Both the Google and Shein fines identified failings in the information provided to individuals about the cookies being placed. In Shein’s case, the CNIL particularly highlighted a lack of information about advertising purposes and even drilled down into the information that should have been provided on the second level of the notice, with details identified as lacking in relation to third parties placing cookies. In Google’s case, a lack of information being presented to users contributed to the consent being held to be not ‘freely given’ and the banner being classified as unlawful – confirming the importance of clear and comprehensive information on cookies being provided to users, particularly where organisations’ behavioural advertising activities are extensive and risks are higher. 

Cookie banners must work: The CNIL’s Shein fine identified a range of failings in the operation of the company’s cookie banner, with the regulator identifying cookies being set by the site both before the cookie banner loaded and where the user had ‘rejected all’ or subsequently withdrawn cookie consent. Organisations should now be examining existing approaches to cookie audits and reconsidering how well existing processes for monitoring cookie functionality are working in practice (as we discuss in this article). 

Regulators remain focused on websites’ compliance… Website cookie compliance should remain a compliance priority for organisations, as we have seen from the Shein fine and as confirmed by the ICO’s most recent progress update on its online tracking strategy (the Tracking Update). The Tracking Update confirms that progress is being made on the ICO investigation into the UK’s top 1000 websites’ cookie compliance, with all sites now having been written to and the regulator currently assessing responses. The ICO statement confirms that “enforcement action will follow” where the law isn’t complied with. 

At the same time, the ICO is looking to encourage the development of privacy-preserving ads (such as contextual) – and is considering stepping back from cookie enforcement in that area (see ICO consultation launched on 7 July).

…but are increasingly looking at other forms of tracking too: In June, the CNIL issued draft guidance on the use of tracking pixels in emails (widely used to detect whether marketing emails have been opened or forwarded etc.) and the ICO posted about them earlier this year too – showing this form of tracking is now rising up regulators’ agendas. Mobile apps and smart device compliance is also coming under increasing scrutiny - the CNIL is looking to start enforcing in this area this autumn (following its apps guidance in April) and in the UK, the ICO has confirmed it is focusing on tracking by apps and Internet of Things devices and is currently working with smart product developers and manufacturers to embed data protection by design. Organisations using email tracking or tracking technologies across apps or smart devices should ensure these are included in their compliance reviews.

Is reform on the horizon? On 16 September, the European Commission issued a call for evidence in relation to its Digital Omnibus plans to simplify the EU’s digital laws. Cookies are one area the Commission is potentially targeting for reform and simplification, with the aim of reducing consumers’ consent fatigue and facilitating businesses use of cookies and other technologies “for increased data availability”.