French Data Protection Authority (CNIL) fines Google and Amazon 135 million euros for alleged cookie violations

On 10th December 2020 the French Data Protection Authority (CNIL) announced that it was fining Google LLC €60 million, Google Ireland Limited €40 million and Amazon Europe Core €35 million. They found that, under the French cookie rules Google failed to obtain the consent of users of google.fr, before setting advertising cookies on their devices. They also found that they failed to provide users with adequate information about the use of cookies or to implement a fully effective opt-out mechanism to enable users to refuse cookies. Amazon was found to also have failed to obtain consent or provide adequate information.

 

The background facts

Article 82 of the French Data Protection Act (which implements into French law the provisions of the EU ePrivacy Directive governing the use of cookies) and a number of soft law instruments (aimed at guiding operators in implementing Article 82 of the French Data Protection Act) set out the French cookie rules. 

Although the French Data Protection Act hasn’t changed the CNIL has changed its soft laws to reflect strengthened consent requirements set out in the EU GDPR. New guidelines about this were published by CNIL in July 2019. In October 2020 CNIL finalised its guidelines and recommendations, announcing that it would allow a transition period of six months for companies to comply with the new cookie law rules. However, they also reserved the right to take action against certain and particularly serious infringements, before that six month transition was up.  It also said that it would continue to investigate infringements of the previous cookie laws. 

Three remote inspections of Amazon’s website and premises were carried out in December 2019 and early 2020 and another of Google’s website. These inspections aimed to verify whether Google LLC and Google Ireland Limited and Amazon Europe Core complied with the French Data Protection Act, and in particular with its Article 82, when setting or reading non-essential cookies on the devices of users living in France who visited google.fr and amazon.fr websites.

The sanctions against Google and Amazon were, said CNIL, punishing breaches of obligations that existed before the GDPR and are not part of the obligations clarified by the new Guidelines and Recommendations.

Perhaps understandably Google and Amazon challenged these sanctions. They said that the cooperation mechanism of the GDPR (known as the one-stop-shop mechanism) should apply and the CNIL is not their lead supervisory authority for the purposes of that mechanism; and (2) their cookie practices do not fall within the territorial scope of the French Data Protection Act. 

Amazon argued that its French establishment was not involved in the setting of cookies on the French site and there was no link between the French site and the French premises (in that cookies were set by their Luxembourg affiliate site). Google argued likewise that because the one-stop-shop mechanism should apply its headquarters in Ireland should mean that the Irish Data Protection Commissioner should be their supervisory authority.

The CNIL, however, responded that the French cookie rules are based on the EU ePrivacy Directive and not the GDPR and, as such, the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon.

Furthermore, in addition to detailed investigation of the organisational structure, data controlling and processing, the CNIL, made reference to the rulings of the Court of Justice of the European Union in the Google Spain and Wirtschaftsakademie cases in taking the view that the use of cookies on the French site (google.fr and amazon.fr respectively) was carried out in the context of the activities of the French establishment of the companies, because that establishment promotes their respective products and services in France.

 

So, what were they actually doing wrong?

Setting advertising cookies:

  • Google.fr was automatically setting seven cookies on visitors devices. Four of these were advertising cookies.

  • Amazon.fr was automatically setting more than 40 advertising cookies on visitors’ devices whenever users first visited the home page or visited the site after clicking on an advert published on another site.

  • As advertising cookies require users’ prior consent, and they were not getting this, the CNIL concluded that the companies failed to comply with the cookie consent requirement of Article 82 of the French Data Protection Act.

 

Lack of adequate information:

  • Google.fr did display an information banner at the bottom of the pace but the CNIL found that this banner did not provide users with information regarding the cookies that were already set on their device. Information was not provided when users clicked on the ‘access now’ button. Although Google updated its cookie practises in September 2020 the CNIL found that the new pop-up window didn’t inform people of the purpose of the cookies or information about the precise nature of the personalisation. They also found that it wasn’t made clear enough how users could refuse cookies.

  • Amazon.fr was found not to provide clear or complete information as to cookie use or refusal. This was found to be even more of a failing when users visited the website after they had clicked on an advertisement on another site.

 

Opting out:

  • Google was found to leave one advertising cookie on users’ devices even after they had clicked on the ‘access now’ deactivation button.

 

How were the fines decided?

The CNIL took into account the seriousness of the breaches of Article 82 of the French Data Protection Act, the high number of users affected by those breaches, and the financial benefits deriving from the advertising income indirectly generated from the data collected by the advertising cookies. Although both companies were noted to have updated their cookie practices in September 2020 - as well as having stopped setting advertising cookies - it was felt that this did not go far enough. 

The CNIL addressed its decisions, in these matters, to the French establishment of each company, in order to enforce the decisions. They also ordered a periodic penalty payment of €100,000 (the maximum amount permitted under the French Data Protection Act) for each day of delay in complying with the injunction, starting three months after notification of the CNIL’s decision, in each case.