On 10 December 2020, the French DPA (“CNIL”) announced several fines imposed for breaches of the data protection requirements related to the use of cookies.
Fines amounting to a total of EUR 100M were imposed on GOOGLE LLC and on GOOGLE IRELAND LIMITED for setting advertising cookies on the computers of users of the google.fr search engine without prior consent or satisfactory information. In particular, the CNIL noted that the cookie banner of the said search engine did not allow users residing in France to be previously and clearly informed about the placement of cookies on their computer nor, consequently, of the objectives of these cookies and the means made available to them as to the possibility of refusing them. In addition, the CNIL found that the opposition mechanism put in place by the companies was partially faulty, given that one of the advertising cookies remained stored on the users’ computers and continued to read information intended for the server to which it was attached. Furthermore, the CNIL highlighted that these practices had affected nearly fifty million users.
Another fine of EUR 35M was imposed on AMAZON EUROPE CORE for setting advertising cookies on the computers of users of the amazon.fr site without prior consent or satisfactory information. In particular, the CNIL noted that upon reading the cookie banner of the said site, the user was not able to understand that the cookies placed on his/her computer had the main objective of displaying personalized advertisements. The CNIL also noted that the banner did not indicate that users have the right to refuse these cookies and the means at their disposal for this purpose.
In addition to the above-mentioned fines, the CNIL also adopted injunctions so that each of the sanctioned companies proceeds to properly inform data subjects within 3 months as from the notification. Otherwise, the companies will be exposed to the payment of a fine of EUR 100,000 per day of delay.
The full press releases are available here and here (only in French).