On 7 December 2020 the French data protection regulator (CNIL), acting as Christmas Grinch for two of the major tech giants, issued Google LLC and Google Ireland Limited a total of fine of €100 million and Amazon Europe Core a fine of €35 million - in both cases for dropping tracking cookies without consent.
Why were they fined?
Both of these fines followed investigations carried out by the CNIL into the respective web pages.
In the case of Google, the CNIL found three violations under the Article 82 of the French Data Protection Act:
- Advertising cookies were being automatically dropped on a user’s device when they accessed google.fr, without any action from the user (including without obtaining the user’s consent).
- An advertising cookie was still being dropped, despite a user opting out cookies via the deactivation of the ad personalisation on Google search.
For Amazon, the fine was for very similar reasons:
- A large number of advertising cookies were being automatically dropped onto a user’s device without their consent.
What are the implications of the fines?
- Both decisions are a clear reminder of the current law around cookies; a) opt in consent is required for all non-essential cookies; and b) Cookies banners need to clearly set out what types of cookies a company is using and for what purposes (it is not enough to rely on the cookie notice alone) and individuals need to have an easy way to ‘accept’ and ‘reject’ cookies. A lot of our clients are already aware of the importance of complying with these requirements and are no longer taking the risk-based approach of relying on implied consent for cookies (you’ve seen all the pop ups).
- This is also a reminder that at the moment the ‘one stop shop’ mechanism under the GDPR does not apply under the EU ePrivacy Directive, so organisations cannot rely on the (perhaps more) relaxed approach of local regulators in relation to cookie compliance. The application of the ‘one stop shop’ mechanism may change once the new ePrivacy Regulation comes into force.
- Finally, there are serious sums involved for getting it wrong. Organisations need to act now and ensure compliant cookie mechanisms are implemented and working!
It noticed that, no matter what path the users used to visit the website, they were either insufficiently informed or never informed of the fact that cookies were placed on their computer.