The French data supervisory authority, CNIL, has fined Google €100million (£91million) and Amazon €35million (£31million) for unlawful uses of cookies.
The fines were issued under French law implementing the EU e-Privacy Directive (“Directive”). In the UK the Directive is implemented by the Privacy and Electronic Communications Regulations.
Article 82 of the French Data Protection Act requires that visitors to websites must be informed of the purpose of any action taken to access or record information already stored on their computer (or other electronic communications device) and how they may oppose access. Access may only take place when the user or subscriber has agreed, after receiving this information.
Google placed advertising cookies on visitor devices to google.fr. When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”. In front of this were two buttons: “Remind me later” and “Access now”.
However, the banner did not provide the user with any information about cookies that had already been placed on their computer when arriving on the site. Nor was this information provided when they clicked on the “Access now” button.
CNIL fined Google €100million - €60million to Google LLC in the US and €40million to Google Ireland Limited.
CNIL also fined Amazon for its website amazon.fr. It found that users visiting the website had cookies automatically placed on their computer, without any action required on their part. Several of these cookies were used for advertising purposes.
CNIL fined Amazon €35million for failing to obtain consent and provide adequate information to visitors to Amazon.fr before setting advertising cookies on their devices.
In both instances, CNIL noted the updated information banners set up by each company after the initial investigations did not allow users to properly understand the purposes for which advertising cookies are used.
The large fines issued to Amazon and Google again highlight the greater penalties available under the GDPR. The fines are much higher than the recently finalised fines in the UK of £20million to British Airways and £18.4million to Marriott International.
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.