French data protection authority CNIL imposes record fines on Google and Amazon for unlawful use of advertising cookies

In the “Planet49” judgment of 2019, the European Court of Justice ruled that the use of advertising cookies requires the prior consent of the user in the form of active consent. The French data protection authority CNIL’s 7 December decision against Google and Amazon follows suit: Google and Google Ireland are required to pay a combined fine of €100 million, while Amazon’s subsidiary Europe Core has been fined €35 million.

Decision based on previous cookie practices

The CNIL accuses Google of having “placed advertising cookies on the computers of users of the google.fr search engine without prior consent and without adequate information”. Namely, Google displayed a banner entitled ” Rappel concernant les règles de confidentialité de Google ” (“Reminder concerning the privacy settings”) when a user visited the google.fr site. The two buttons on the banner were labelled ” Me le rappeler plus tard ” (“Remind me later”) and ” Consulter maintenant ” (“Access now”).

The CNIL holds that this banner did not adequately inform users about the placement of cookies, particularly since advertising cookies were already set once users accessed the google.fr site. Even after users had chosen to access the ” Consulter maintenant” button, they were not sufficiently informed about the cookies. The users thus lacked the information on how to object to the use of cookies.

Similary, Europe Core, which belongs to the Amazon group, was found to have placed cookies without the user’s prior consent.

Insufficient adjustments

Google has adapted its practices since the beginning of the CNIL proceedings. Specifically, Google’s cookie has been redesigned in September: People who visit google.fr now see a popup in the centre of their screen before they can access the search engine, titled ” Avant de continuer” (“Before you continue”), which carriesas the following notice:

“Google uses cookies and other information to provide, manage and improve its services and advertisements. If you consent, we will customize the content and ads you see based on your activity in Google services such as Search, Maps and YouTube. Some of our partners also evaluate how our services are​ used. Click on ” More Information” to learn more about your options or visit the g.co/privacytools page at any time. “

Although the CNIL considers this new notice to be an improvement from Google’s previous practicesit considers the amount of information still not sufficient in light of the purposes for which cookies are placed and concerning the possibility of withdrawing consent. Google and Google Ireland have now been given three months to adapt again in order to avoid further fines.

The CNIL has issued a similar “ultimatum” to Europe Core as the similarly redesigned banner used by the Amazon subsidiary is also not regarded as a solution to the underlying problem.

Website operators should check the design of their cookie banners

In view of the drastic action taken by the French data protection authority, particular attention must be paid to the use of advertising cookies to ensure that consent is obtained in a legally sufficient manner and that users are provided with the necessary information. The Lower Saxony data protection authority recently published guidance on this issue to support adequate consent practices on websites. This document can certainly serve as a reference point to ensure data protection compliance.

In this light, the following points should be kept in mind when assessing the consent mechanism for the use of advertising cookies:

1. Cookies are placed only after consent has been given

Consent must be obtained before placing advertising cookies.

2. Informed consent

Users must be provided with the necessary information about the scope of their consent in particular about the identity of the controller, the processing purposes, the data types processed and the existence of their right to withdraw consent.

3. Clear and voluntary consent

Valid consent requires a clear confirmatory act. Users must also be able to refuse consent.

4. No undue influence on user decisions

Refusing consent must not be unnecessarily more complicated compared to acceptance (no undue “nudging”). Website operators should also avoid repeatedly asking users for their consent after they have refused it.

5. Revocability of consent

Withdrawal of consent must be possible in the same way and as simply as granting consent.

Contact us for additional advice concerning your cookie practices and, if necessary, a check of your current platform.

used. Click on ” More Information” to learn more about your options or visit the g.co/privacytools page at any time. “ At the bottom of the popup, are two buttons with the labels ” Plus d’information ” (“More information”) and ” J’accepte ” (“I accept”). Although the CNIL considers this new notice to be an improvement from Google’s previous practicesit considers the amount of information still not sufficient in light of the purposes for which cookies are placed and concerning the possibility of withdrawing consent. Google and Google Ireland have now been given three months to adapt again in order to avoid further fines. The CNIL has issued a similar “ultimatum” to Europe Core as the similarly redesigned banner used by the Amazon subsidiary is also not regarded as a solution to the underlying problem. Website operators should check the design of their cookie banners In view of the drastic action taken by the French data protection authority, particular attention must be paid to the use of advertising cookies to ensure that consent is obtained in a legally sufficient manner and that users are provided with the necessary information. The Lower Saxony data protection authority recently published guidance on this issue to support adequate consent practices on websites. This document can certainly serve as a reference point to ensure data protection compliance. In this light, the following points should be kept in mind when assessing the consent mechanism for the use of advertising cookies: 1. Cookies are placed only after consent has been given Consent must be obtained before placing advertising cookies. 2. Informed consent Users must be provided with the necessary information about the scope of their consent in particular about the identity of the controller, the processing purposes, the data types processed and the existence of their right to withdraw consent. 3. Clear and voluntary consent Valid consent requires a clear confirmatory act. Users must also be able to refuse consent. ​4. No undue influence on user decisions Refusing consent must not be unnecessarily more complicated compared to acceptance (no undue “nudging”). Website operators should also avoid repeatedly asking users for their consent after they have refused it. 5. Revocability of consent Withdrawal of consent must be possible in the same way and as simply as granting consent. Contact us for additional advice concerning your cookie practices and, if necessary, a check of your current platform.