CNIL fines Google and Amazon for the unlawful use of cookies

Today, the CNIL announced fines of €100 million and €35 million for Gooogle and Amazon, respectively, for breaches of the French Data Protection Act.

The fines resulted from two separate investigations carried out by CNIL in relation to the use of cookies on the French websites of Google and Amazon.

The decision against Google

While it seems to be broadly stated that the CNIL fined Google €100 million, a more accurate statement is that the CNIL fined Google LLC (the parent company of Google’s French outfit GOOGLE FRANCE SARL) for €60 million, and Google Ireland Ltd (Google’s headquarters) for €40 million. Combined, these fines are the largest ever sanction handed out by the CNIL. Both Google LLC and Google Ireland Ltd were deemed jointly responsible for the use of cookies as both were considered to exercise decision-making power in relation to data processing concerning users located in France.

Substantive findings

The CNIL investigation found that the users visiting Google’s French website (google.fr) had several cookies automatically deposited in their devices, without being given an opportunity to refuse. Contrary to what Google argued, the CNIL ruled that it was not enough that users would eventually be informed about cookies.

The CNIL asserted that cookies could only ever be lawfully deposited after the user had given her informed consent, which itself was subject to receiving clear and comprehensive information on the purpose of cookies used and the avenues available to avoid them. As the CNIL rightly held, the fact that the user was left with no option but to scroll down a pop-up window, get past five other irrelevant links, to finally be able click on a link to a cryptically-named “Other Options” banner was not clear enough.

The French regulator recommended a two-stage process for online platforms to ensure that cookies were not deposited prior to user consent.

1. Upon their visit to a website, users should be shown a cookie banner setting out the explicit purposes for which cookies are used, and mentioning the possibility of disabling or opposing these cookies and change parameters by way of a link included in the banner;
2. When clicking on that link, users should be informed in a simple and intelligible manner of the options available to them to refuse, in whole or in part, all cookies for which consent is required. This information should be disaggregated by purpose, including advertising, social media buttons and audience measurement.

Further, the CNIL found that despite users choosing to disable cookies, various cookies with marketing purposes remained stored on users’ device. At least one of those cookies continued to systematically track users’ every interaction with the domain.

Procedural findings

Google argued that the applicable legal framework was not the ePrivacy Directive, but the General Data Protection Regulation (GDPR). If the latter, Google argued, the competent data protection authority was not the CNIL, but the Data Protection Commissioner (Ireland’s Data Protection Authority), on account of Google being headquartered in Ireland and by virtue of the operation of the 'one-stop shop' mechanism foreseen by GDPR - a mechanism applying to cross-border processing by which a single supervisory (data protection) authority is empowered to act as the lead on behalf of other EEA supervisory authorities. Google argued that excluding the application of the 'one-stop shop' mechanism would contribute to the fragmentation of European regulation on data protection and cookies.

The CNIL disagreed. While the subject-matter of the complaint engaged elements of both the GDPR and the ePrivacy directive, the ePrivacy directive took precedence as lex specialis. In its reasoning, the CNIL highlighted that the ePrivacy directive explicitly stated that its purpose was to particularise and complement GDPR. In turn, GDPR excludes from its scope of application all matters which are subject to specific obligations under the ePrivacy directive. The ePrivacy directive itself contains provisions enabling member states to develop and enforce a sanctions regime. The CNIL further referred to the fact that the potential application of a 'one-stop shop' mechanism to the ePrivacy directive had been discussed for three years at the European level, meaning that the current position in law is that the 'one-stop shop' mechanism does not apply to the ePrivacy directive.

You can read the full decision against Google here.

The decision against Amazon

The fine against Amazon was issued against Amazon Europe Core, a company registered in Luxembourg and belonging to the Amazon group.

Substantive findings

The CNIL noted that users visiting Amazon’s French website (amazon.fr) by clicking through an Amazon ad posted on a third-party website automatically had cookies stored on their device upon arrival, without having a prior opportunity to consent. The same did not occur with users directly visiting the Amazon homepage. Amazon argued, among others, that the vast majority of users clicking on Amazon ads on third-party websites had previously visited Amazon’s website and so were aware of Amazon’s cookie policy. Further, Amazon argued that its ads on third-party websites had an Adchoices icon, which users could click on to learn about the cookie policy.

The CNIL rejected these arguments. First-time visitors to Amazon could easily be led to the website through ads on third-party websites. Similarly, it could not be reasonably expected of users to click on a small Adchoices icon prior to clicking on the ad itself, particularly where it was not made clear on the ad that the icon would give them information regarding the cookie policy. In any event, clicking on the Adchoices icon neither provided the user with detailed information as to the purpose of cookies nor made it clear as to what choice they had to disable them.

Once again, the CNIL emphasised the need for online platforms to abide with the two-stage process for informing users of the cookie policy.

Procedural findings

Similarly to Google, Amazon disputed CNIL’s jurisdiction to engage in a sanctions procedure against it, arguing that the competent authority was the Luxemburgean data protection authority, the CNPD. Amazon argued that, in the absence of provisions in the ePrivacy directive addressing cross-border processing, the GDPR and its ‘one-stop shop’ mechanism applied. Under the ‘one-stop shop’ mechanism, the CNPD would be the competent authority.

As it did in the Google decision, the CNIL found that, given that the GDPR specifically excluded from its scope of application data protection matters dealt with in the earlier ePrivacy directive, the ‘one-stop shop’ mechanism was not engaged. The CNIL emphasised the importance of distinguishing reading and writing operations on a terminal equipment - governed by the ePrivacy directive - and the subsequent use made of data collected by cookies, governed by GDPR.

You can read the full decision against Amazon here.

What is the relevance of these findings?

The CNIL’s decision is a welcome step towards the regulation of online tracking. There is a systemic problem in the use of online cookies, and deceptive as well as infringing practices continue to proliferate. Often, cookie banners come with pre-ticked boxes or signal that cookies are opt-out by default. This means that users have to take the time to un-tick boxes prior to confirming their choices. As shown by the Google and Amazon decisions, it is also not always clear how, if at all, users can disable cookies. And as the Google decision above illustrates, seemingly disabling cookies on a platform may result in some cookies nonetheless surviving the cull and covertly operating in the background.

The CNIL decisions provide online platforms with a blueprint as to how they can fulfill their data protection obligations in relation to cookies and online tracking. Specifically, CNIL’s decision in relation to Amazon decisively shows that de minimis approaches to cookie policies are insufficient. In all circumstances, users must be given the opportunity to consent prior to any cookies being installed, subject to being given comprehensive and clear information about the purpose of any cookies operating on the website.

More importantly, however, the CNIL decisions show an important interpretive trend whereby data protection authorities may readily investigate and sanction conduct that falls foul of the ePrivacy directive without being restrained by GDPR’s ‘one-stop shop mechanism’.

What needs to be done?

The CNIL decision is only one piece of the puzzle. Its investigations and decisions explicitly focussed on the installation of cookies on users’ devices. This is a good starting point. However, further clarity and enforcement is needed in relation to how information gathered by cookies is used. Companies share, enrich and exchange users’ data in a vast ecosystem of data brokers and advertisers. Once you have given “consent”, your data disappears in the data brokerage ether and could potentially be used for anything, from product promotion to microtargeting by political parties. That’s neither fair nor transparent.

PI is working to uncover the hidden data ecosystem by using the law as a tool to investigate and hold to account a range of data companies that facilitate mass data exploitation.