Published On: Wed, Dec 16th, 2020

France fines Google $120M and Amazon $42M for dropping tracking cookies but consent

France’s information insurance agency, a CNIL, has slapped Google and Amazon with fines for dropping tracking cookies but consent.

Google has been strike with a sum of €100 million ($120 million) for dropping cookies on Google.fr and Amazon €35 million (~$42 million) for doing so on a Amazon .fr domain underneath a chastisement notices released today.

The regulator carried out investigations of a websites over a past year and found tracking cookies were automatically forsaken when a user visited a domains in crack of a country’s Data Protection Act.

In Google’s box a CNIL has found 3 agree violations associated to dropping non-essential cookies.

“As this form of cookies can't be deposited but a user carrying voiced his consent, a singular cabinet deliberate that a companies had not complied with a requirement supposing for by essay 82 of a Data Protection Act and a before collection of a agree before a deposition of non-essential cookies,” it writes in a chastisement notice [which we’ve translated from French].

Amazon was found to have done dual violations, per a CNIL chastisement notice.

CNIL also found that a information about a cookies supposing to site visitors was unsound — observant that a ensign displayed by Google did not yield specific information about a tracking cookies a Google.fr site had already dropped.

Under inner French (and European) law, site users should have been clearly sensitive before a cookies were forsaken and asked for their consent.

In Amazon’s box a French site displayed a ensign informing nearing visitors that they concluded to a use of cookies. CNIL pronounced this did not approve with clarity or agree mandate — given it was not transparent to users that a tech hulk was regulating cookies for ad tracking. Nor were users given a event to consent.

The law on tracking cookie agree has been transparent in Europe for years. But in Oct 2019 a CJEU statute serve simplified that agree contingency be performed before to storing or accessing non-essential cookies. As we reported during a time, sites that unsuccessful to ask for agree to lane were risking a large excellent underneath EU remoteness laws.

Google and Amazon are now anticipating that out to their cost, it seems.

Europe’s tip justice says active agree is indispensable for tracking cookies

We’ve reached out to Amazon and Google for criticism on a CNIL’s action.

Update: Google sent this statement, attributed to a spokesperson:

People who use Google design us to honour their privacy, either they have a Google comment or not. We mount by a record of providing upfront information and transparent controls, clever inner information governance, secure infrastructure, and above all, useful products. Today’s preference underneath French ePrivacy laws overlooks these efforts and doesn’t comment for a fact that French manners and regulatory superintendence are capricious and constantly evolving. We will continue to rivet with a CNIL as we make ongoing improvements to improved know a concerns.

Update 2: Amazon has also now sent a statement:

We remonstrate with a CNIL’s decision. Protecting a remoteness of a business has always been a tip priority for Amazon. We invariably refurbish a remoteness practices to safeguard that we accommodate a elaborating needs and expectations of business and regulators and entirely approve with all germane laws in any nation in that we operate.

Amazon combined that it has updated information and choices offering on a cookie banners on a EU, U.K. and Turkish stores, in a arise of a CNIL’s review — indicating to a cookie preferences settings page where it pronounced users can refurbish their agree to cookies during any time.

In Google’s box a CNIL also found that when a user comparison to deactivate personalized promotion — around an choice that Google’s cookie notice presented them with — a resource usually partially worked, as one promotion cookie remained stored on their appurtenance and continued to routine information in transparent defilement of a agree law.

The CNIL’s chastisement for Google breaks down into a excellent of €60 million for Google LLC and €40 million for Google Ireland Ltd.

It says a distance of a fines is fit given of a earnest of a triple crack of essay 82 of a Data Protection Act.

Other factors concerned in last a distance of a excellent enclosed a strech of Google’s hunt engine in France and a fact that a corporate practices impact roughly 50 million people, as good as a sizeable increase it derives from advertising, that are associated to information generated by a tracking cookies.

Per a CNIL’s investigation, Google stopped automatically dropping a ad cookies on a Google.fr domain after an refurbish in Sep 2020. However it pronounced a new cookie notice that’s presenting to nearing users still does not yield adequate information about what a cookies are used for nor surprise users they can exclude these non-essential cookies.

Because of this a CNIL has also strike Google with an claim — giving it 3 months to scold a cookie notices so they yield a compulsory information to users or Google is risking serve fines of €100,000 per day until a defilement stops.

The regulator’s review of Google.fr took place in Mar 2020, while a checks on Amazon.fr took place between midst Dec 2019 and midst May 2020.

Amazon also updated a inner site in Sep 2020 — to stop automatically dropping a tracking cookies.

However a CNIL is likewise unfortunate with a information it provides to users, anticipating it does not clearly explain a tracking cookies nor make it plain users can exclude this “personalized” advertising, so a e-commerce hulk has also been released with an claim to make good on a agree notices within 3 months or face serve fines of €100,000 per day.

The top-line penalties are some of a largest tech giants have faced in Europe to date associated to a bloc’s remoteness rules. Albeit, a distance of a fines still pales in comparison a billions a tech giants hillside in globally any year.

The CNIL formerly fined Google $57 million, behind in 2019 — also for unwell clarity requirements. Though that box was associated to complaints filed underneath a EU’s General Data Protection Regulation (GDPR).

In this instance (for both Google and Amazon) a CNIL points out that cookie agree falls underneath a EU’s ePrivacy Directive, that means a GDPR’s one-stop-shop resource does not flog in. Which means a French watchdog has authorised cunning to investigate, rather than wanting to impute concerns to a lead EU DPA where any of a companies have their informal authorised base.

In Google’s box that would be Ireland (while Amazon has a European authorised bottom in Luxembourg).

It’s value observant that Ireland’s DPC still hasn’t released a singular GDPR preference in any of a scores of open cases associated to large tech (including into several aspects of Google’s business), some-more than 2.5 years given a GDPR came into application.

Meanwhile, a speed of French investigations and decisions continue to impress.

So today’s cookie fines will approaching yield some-more succour to critics of GDPR enforcement.

GDPR coercion contingency turn adult to locate large tech, news warns

Although it’s not a like-for-like comparison, as a CNIL’s investigations in these cases have been singular in range (i.e. national), bypassing a executive complexity trustworthy to GDPR cross-border cases — that involves some corner operative and ultimate agreement between mixed DPAs opposite a EU.

However, if an comparison EU gauge is shown to be delivering rapid coercion — when a “shiny”, newer law can’t — that does lift some vital questions for informal lawmakers who have conceded in new months that GDPR coercion is a debility of their flagship framework.

Forum shopping, around a GDPR’s one-stop-shop mechanism, is looking like a biggest blocker to EU adults being means to defend their most trumpeted elemental rights.

Returning to a cookie agree issue, a CNIL has done questioning cookie correspondence a sold concentration — edition updated superintendence for regulating a tracking tech in October, when it pronounced it would offer a beauty duration of adult to 6 months to come into compliance.

However, a regulator warned it would continue to entirely guard wider correspondence issues around cookies and could take movement to strengthen a remoteness of internet users if necessary.

Hence it’s stepped in with penalties and injunctions for Google and Amazon now.

Ireland’s DPC also published updated cookie superintendence this year, behind in April, observant too that it would give a beauty duration — until Oct — before it begun holding any coercion action. But, so far, it hasn’t done open any such action.

While a initial ever GDPR preference in a cross-border box — opposite Twitter — is approaching to land finally this month.

Cookie agree still a correspondence rabble glow in latest watchdog peek

This early GDPR adtech strike puts a spotlight on consent

About the Author