French Data Protection Authority (CNIL) fines Google and Amazon 135 million euros for alleged cookie violations
The background facts
Although the French Data Protection Act hasn’t changed the CNIL has changed its soft laws to reflect strengthened consent requirements set out in the EU GDPR. New guidelines about this were published by CNIL in July 2019. In October 2020 CNIL finalised its guidelines and recommendations, announcing that it would allow a transition period of six months for companies to comply with the new cookie law rules. However, they also reserved the right to take action against certain and particularly serious infringements, before that six month transition was up. It also said that it would continue to investigate infringements of the previous cookie laws.
Three remote inspections of Amazon’s website and premises were carried out in December 2019 and early 2020 and another of Google’s website. These inspections aimed to verify whether Google LLC and Google Ireland Limited and Amazon Europe Core complied with the French Data Protection Act, and in particular with its Article 82, when setting or reading non-essential cookies on the devices of users living in France who visited google.fr and amazon.fr websites.
The sanctions against Google and Amazon were, said CNIL, punishing breaches of obligations that existed before the GDPR and are not part of the obligations clarified by the new Guidelines and Recommendations.
Perhaps understandably Google and Amazon challenged these sanctions. They said that the cooperation mechanism of the GDPR (known as the one-stop-shop mechanism) should apply and the CNIL is not their lead supervisory authority for the purposes of that mechanism; and (2) their cookie practices do not fall within the territorial scope of the French Data Protection Act.
Amazon argued that its French establishment was not involved in the setting of cookies on the French site and there was no link between the French site and the French premises (in that cookies were set by their Luxembourg affiliate site). Google argued likewise that because the one-stop-shop mechanism should apply its headquarters in Ireland should mean that the Irish Data Protection Commissioner should be their supervisory authority.
The CNIL, however, responded that the French cookie rules are based on the EU ePrivacy Directive and not the GDPR and, as such, the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon.
So, what were they actually doing wrong?
Setting advertising cookies:
Google.fr was automatically setting seven cookies on visitors devices. Four of these were advertising cookies.
Amazon.fr was automatically setting more than 40 advertising cookies on visitors’ devices whenever users first visited the home page or visited the site after clicking on an advert published on another site.
As advertising cookies require users’ prior consent, and they were not getting this, the CNIL concluded that the companies failed to comply with the cookie consent requirement of Article 82 of the French Data Protection Act.
Lack of adequate information:
Amazon.fr was found not to provide clear or complete information as to cookie use or refusal. This was found to be even more of a failing when users visited the website after they had clicked on an advertisement on another site.
Google was found to leave one advertising cookie on users’ devices even after they had clicked on the ‘access now’ deactivation button.
How were the fines decided?
The CNIL took into account the seriousness of the breaches of Article 82 of the French Data Protection Act, the high number of users affected by those breaches, and the financial benefits deriving from the advertising income indirectly generated from the data collected by the advertising cookies. Although both companies were noted to have updated their cookie practices in September 2020 - as well as having stopped setting advertising cookies - it was felt that this did not go far enough.
The CNIL addressed its decisions, in these matters, to the French establishment of each company, in order to enforce the decisions. They also ordered a periodic penalty payment of €100,000 (the maximum amount permitted under the French Data Protection Act) for each day of delay in complying with the injunction, starting three months after notification of the CNIL’s decision, in each case.