On December 7, 2020, the French Data Protection Authority (“CNIL”) issued over $163 million in fines against Google and Amazon for violating notice and consent rules under Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive’s cookie consent requirements. The CNIL found that certain Google and Amazon websites automatically placed advertising cookies on users’ computers, a violation of the legal requirement to obtain a user’s prior express consent to place nonessential cookies. In certain cases on Google’s website, the CNIL noted that an advertising cookie persisted on users’ computers and was used to transmit data even after users had de-activated ad personalization, making Google’s “opposition mechanism … partially defective.” In addition, the companies provided insufficient information explaining the purpose of cookies placed and how users can exercise their rights related to them.
Since the CNIL informed both companies of its investigations earlier this year, each has updated its European website to stop placing advertising cookies absent the user’s prior express consent. However, the CNIL found that cookie banners on both companies’ websites remain insufficient to explain to users the purpose of the cookies placed, the fact that users can refuse them, and how to do so. Google and Amazon have been given three months to better inform users about their cookie practices, or else face further fines of €100,000 per day.
This enforcement action reiterates the importance of complying with EU cookie consent rules and honoring data subjects’ right to be informed, specifically regarding the purpose and user rights related to advertising cookies.
It also highlights the need for companies to follow cookie guidance from data protection authorities across the EU, not just in the member state where their main establishment is located. The CNIL explained that the GDPR one-stop-shop mechanism (which may give the Irish data protection authority primary jurisdiction over certain Google-related matters) was inapplicable because this case was brought under French law implementing the ePrivacy Directive, which has no one-stop-shop concept.