In the “Planet49” judgment of 2019, the European Court of Justice ruled that the use of advertising cookies requires the prior consent of the user in the form of active consent. The French data protection authority CNIL’s 7 December decision against Google and Amazon follows suit: Google and Google Ireland are required to pay a combined fine of €100 million, while Amazon’s subsidiary Europe Core has been fined €35 million.
Decision based on previous cookie practices
The CNIL accuses Google of having “placed advertising cookies on the computers of users of the google.fr search engine without prior consent and without adequate information”. Namely, Google displayed a banner entitled ” Rappel concernant les règles de confidentialité de Google ” (“Reminder concerning the privacy settings”) when a user visited the google.fr site. The two buttons on the banner were labelled ” Me le rappeler plus tard ” (“Remind me later”) and ” Consulter maintenant ” (“Access now”).
Similary, Europe Core, which belongs to the Amazon group, was found to have placed cookies without the user’s prior consent.
Google has adapted its practices since the beginning of the CNIL proceedings. Specifically, Google’s cookie has been redesigned in September: People who visit google.fr now see a popup in the centre of their screen before they can access the search engine, titled ” Avant de continuer” (“Before you continue”), which carriesas the following notice:
Although the CNIL considers this new notice to be an improvement from Google’s previous practicesit considers the amount of information still not sufficient in light of the purposes for which cookies are placed and concerning the possibility of withdrawing consent. Google and Google Ireland have now been given three months to adapt again in order to avoid further fines.
The CNIL has issued a similar “ultimatum” to Europe Core as the similarly redesigned banner used by the Amazon subsidiary is also not regarded as a solution to the underlying problem.
Website operators should check the design of their cookie banners
In view of the drastic action taken by the French data protection authority, particular attention must be paid to the use of advertising cookies to ensure that consent is obtained in a legally sufficient manner and that users are provided with the necessary information. The Lower Saxony data protection authority recently published guidance on this issue to support adequate consent practices on websites. This document can certainly serve as a reference point to ensure data protection compliance.
In this light, the following points should be kept in mind when assessing the consent mechanism for the use of advertising cookies:
1. Cookies are placed only after consent has been given
Consent must be obtained before placing advertising cookies.
2. Informed consent
Users must be provided with the necessary information about the scope of their consent in particular about the identity of the controller, the processing purposes, the data types processed and the existence of their right to withdraw consent.
3. Clear and voluntary consent
Valid consent requires a clear confirmatory act. Users must also be able to refuse consent.
4. No undue influence on user decisions
Refusing consent must not be unnecessarily more complicated compared to acceptance (no undue “nudging”). Website operators should also avoid repeatedly asking users for their consent after they have refused it.
5. Revocability of consent
Withdrawal of consent must be possible in the same way and as simply as granting consent.
Contact us for additional advice concerning your cookie practices and, if necessary, a check of your current platform.