Automatic dropping of cookies onto visitors to both Amazon.fr and Google.fr have landed the two companies with huge fines. The French data protection agency, CNIL, has issued penalty notices of €35 million and €100 million respectively after an investigation into breaches of Article 82 of the GDPR.
According to the regulator, neither company has been complying with the requirement that consent must be collected before non-essential cookies can be left on a user browsers. In Google’s case, information provided about use of cookies to visitors to the site was deemed insufficient and their purpose unclear. CNIL cites a complete breach of the regulation in Amazon’s case because Amazon.fr advised customers they had agreed to use of cookies upon accessing the site, thereby offering no possibility to give their consent.
Both companies defended their record and stance on privacy but Google conceded it would be working with the French data authorities to make improvements. Amazon has disagreed with the ruling, stating it complies fully with laws in every country it is accessed in, however, the practice of dropping cookies was ceased on both websites as of September 2020.
The issue of consent, clarified at the end of October 2019 by the Court of Justice of the European Union, states that a user’s consent to the use of cookies is not be valid if given by default. At the time of clarification, the CJEU issued a warning that failure to secure consent would result in large fines and on this occasion, the French regulator confirmed it considers the fines administered to the Amazon and Google commensurate to the seriousness of the breach in question.
