France’s data privacy regulator CNIL has slapped Google and Amazon with fines of €100 million ($121 million) and €35 million ($42 million) for their use of web cookies to track user activities without seeking proper consent.
According to CNIL, google.fr placed several web cookies solely for advertising purposes on the computers of users without their consent, and Google’s privacy banner lacked details about this secretive cookie.
The €100 million fine against Google is double CNIL’s previous largest fine — which was also issued against Google — and this is attributed to the seriousness of the breach, the amount of money the company makes off advertising and the scope of Google’s reach in France.
In a separate release, CNIL said that amazon.fr also placed a large number of non-essential advertising cookies on the computer of anyone who visited the page without their consent.
Like Google, Amazon also failed to provide adequate information about the cookies.
While cookies can be essential for a website’s functioning — allowing for user authentication and remembering preferences among other things — CNIL ruled that the violating cookies, in this case, were only used to serve ads to the user.
Both Amazon and Google redesigned their sites in September 2020, to remove the offending cookies, the releases added.
In a statement reported by Bloomberg, Google said that it stands by its “record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products.” The company added that the CNIL’s decision “overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving.” Amazon also disagreed with the findings noting that it continuously updates its privacy practices to ensure that it meets “the evolving needs and expectations of customers and regulators and fully [complies] with all applicable laws” in the countries in which it operates.
CNIL’s investigation also found that despite making changes to its site in September, Google’s new cookie notice presented to users still does not provide adequate information. This has led to the regulator hitting Google with an injunction which gives the company just three months to fix the cookie notice. If Google fails to do this in the stipulated time the company will face further fines of €100,000 per day until the violation stops.
The European Union’s General Data Protection Regulation (GDPR) which went into effect in May 2018 has dramatically increased the powers of the bloc’s privacy enforcers. Under GDPR, serious breaches of privacy can lead to fines of as much as 4% of a company’s annual global revenue. Google in particular has been at the receiving end of multiple fines from both EU and national regulators in the bloc. Later this month, the EU led by competition commissioner Margrethe Vestager will outline its ambitious Digital Services Act (DSA) that will lay out a wide set of rules for tech giants, that are likely to increase their responsibility in taking down harmful content and demand more transparency on algorithms used by them.