Unlawful use of cookies: Google and Amazon receive multi-million-euro fines

The French data supervisory authority, CNIL, has fined Google €100million (£91million) and Amazon €35million (£31million) for unlawful uses of cookies.

The fines were issued under French law implementing the EU e-Privacy Directive (“Directive”). In the UK the Directive is implemented by the Privacy and Electronic Communications Regulations.

Background

Article 82 of the French Data Protection Act requires that visitors to websites must be informed of the purpose of any action taken to access or record information already stored on their computer (or other electronic communications device) and how they may oppose access. Access may only take place when the user or subscriber has agreed, after receiving this information.

Google fine

Google placed advertising cookies on visitor devices to google.fr. When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”. In front of this were two buttons: “Remind me later” and “Access now”.

However, the banner did not provide the user with any information about cookies that had already been placed on their computer when arriving on the site. Nor was this information provided when they clicked on the “Access now” button.

CNIL found this use of cookies unlawful. It also found Google had failed to provide adequate information about placing these cookies and their purpose. Finally, it found Google had failed to implement a fully effective opt-out mechanism to allow users to refuse cookies.

CNIL fined Google €100million - €60million to Google LLC in the US and €40million to Google Ireland Limited.

Amazon fine

CNIL also fined Amazon for its website amazon.fr. It found that users visiting the website had cookies automatically placed on their computer, without any action required on their part. Several of these cookies were used for advertising purposes.

CNIL considered that the information banner displayed by Amazon, which stated “By using this website, you accept our use of cookies allowing us to offer and improve our services. Read More”, only contained general and approximate information about the purposes of all the cookies placed. By reading the banner, the user could not understand that cookies placed on their computer were mainly used to display personalised ads. The banner did not explain to the user that they could refuse these cookies and how to do so.

CNIL fined Amazon €35million for failing to obtain consent and provide adequate information to visitors to Amazon.fr before setting advertising cookies on their devices.

In both instances, CNIL noted the updated information banners set up by each company after the initial investigations did not allow users to properly understand the purposes for which advertising cookies are used.

Comment

The large fines issued to Amazon and Google again highlight the greater penalties available under the GDPR. The fines are much higher than the recently finalised fines in the UK of £20million to British Airways and £18.4million to Marriott International. 

CNIL’s fines specifically concerned collection and use of cookies. While Amazon and Google used pop-up banners, the information provided was insufficient. 

Individuals need to be made aware of cookie use, including the types of cookies used and what purposes they will be used for (including marketing). If using a pop-up on a webpage informing users of the use of cookies before they access the page, users must be given sufficient information and be able to choose which cookies are collected.