French regulators fine Google and Amazon over cookie policies

Google and Amazon have been fined a total of €135m (£121m) by CNIL, the French data protection watchdog, over their use of advertising cookies and their automatic placement of cookies on the devices of visitors to those websites.

The two separate investigations conducted over the course of just under a year found both companies in breach of Article 82 of the French Data Protection Act.

In Google’s case, the organisation was found to have placed advertising cookies on the devices of visitors to Google.fr without first establishing consent to do so; to have failed to provide adequate information about the placement of such cookies or their purpose; and to have failed to correctly implement the opposition mechanism in certain circumstances. Its fine will total €100m, split between Google LLC (€60m) and Google Ireland Ltd (€40m).

Amazon was found in breach over failure to establish consent and failure to provide adequate information to visitors to Amazon.fr. Its fine will total €35m.

In each case, the watchdog noted subsequent developments made by Google and Amazon. However, in both cases it said it believed that new information banners set up by each organisation still did not allow users located in France to properly understand the purposes for which advertising cookies are used, or that they are well within their rights to refuse them.

In light of this, Google and Amazon have also been ordered to take steps to better inform their users under their Article 82 obligations within the next three months, or face further fines of €100,000 a day.

Both the judgment against Google and that against Amazon can be read in full, in English, at CNIL’s website.

Commenting on the ruling, a Google spokesperson said: “People who use Google expect us to respect their privacy, whether they have a Google account or not. We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure and, above all, helpful products.

“Today's decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.”

Amazon had not responded for a request for comment at the time of writing. However, in comments shared elsewhere, the firm said it disagreed with CNIL’s decision and asserted that protecting the privacy of its customers was a top priority. Amazon said it is continuously updating its privacy practices to meet changing needs and expectations of both customers and regulators, and is at pains to fully comply with data protection laws in every market it operates in.

The use of cookies for advertising and marketing purposes is, of course, widespread, but given the advent of new data privacy laws and regulations – including but not limited to the European General Data Protection Regulation (GDPR) – a spotlight is being shone on the practice of tracking users movements and interests around the internet.

In the UK, the data processing policies and practices of Oracle and Salesforce will be probed next year in a lawsuit in the High Court which, if successful, could result in damages of up to £10bn.

Both firms are accused of failing to establish clear consent for the collection of data sold to advertisers to target online ads. This data can include information on personal interests, location, income, relationship status, gender, sexual orientation, health status, age, education, and political or religious affiliations. Both Oracle and Salesforce are challenging the assertions.