Fri, Sep
43 New Articles

Dramatic Fines for Google and Amazon for Violating Cookie Rules

Dramatic Fines for Google and Amazon for Violating Cookie Rules

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In December 2020, the French Data Protection Authority (Commission nationale de l’informatique et des libertés or the “CNIL”) imposed significant fines of EUR 60 million for Google LLC and EUR 40 million for Google Ireland Limited, as well as of EUR 35 million for Amazon Europe Core.

Google LLC and Google Ireland

The CNIL fined them due to: a) their negligence to obtain the consent of users of the French version of Google search engine (google.fr) before setting advertising cookies on users’ devices, b) the lack in providing users with adequate information about the use of cookies, and c) because of their alleged failure to implement a fully effective opt-out mechanism to enable users to refuse cookies. Precisely, the CNIL’s inspection of the google.fr website revealed that, when users visited that site, seven cookies were automatically set on their device. Four of these cookies were advertising cookies.

Google LLC argued that Google Ireland Limited is solely responsible for those operations because Google LLC is a processor. Following the CNIL’s investigation, the CNIL found that Google LLC exercises a decisive influence in those decision-making bodies and that Google LLC also participates in the determination of the means of processing (since Google LLC designs and builds the technology of cookies set on the European users’ devices). The CNIL concluded that Google LLC and Google Ireland Limited are joint controllers, and consequently, both Google LLC and Google Ireland Limited were deemed jointly responsible for the use of cookies as both were considered to exercise decision-making power in relation to data processing concerning users located in France.. 

Amazon Europe Core 

On the same date, the CNIL announced that the CNIL fined Amazon Europe Core under the same rules for its alleged failure to: a) obtain the consent of users of the amazon.fr site before setting advertising cookies on their devices, and b) provide adequate information about the use of cookies. Namely, the investigation revealed that, whenever users first visited the home page of the amazon.fr website or visited the site after they clicked on an ad published on another site, more than 40 advertising cookies were automatically set on their device. These cookies were not set with user consent and could not remove them entirely.

Amazon Europe Core tried to argue (among other arguments) the CNIL jurisdiction by pointing out that the competent authority should be Luxembourgian data protection authority, keeping in mind that the seat of Amazon Group in Europe is set in Luxemburg, which argument did not pass. 

Breach of the French Data Protection Act

According to the CNIL, the mentioned companies did not provide users with information regarding the cookies that were already set on their device. Furthermore, the CNIL found that: a) the information provided to users does not enable them to understand the type of content and ads that may be personalized based on their behavior, and b) Google and Amazon also failed to provide clear information about how the online trackers would be used, and how visitors to the French websites could refuse the cookies.

In both cases, the CNIL took into account the seriousness of the breaches of the French Data Protection Act and the high number of users affected by those breaches. Furthermore, the CNIL wanted to enforce their ruling by ordering a periodic penalty payment of EUR 100,000 for each day of delay in complying with the injection.

The mentioned companies have four months to appeal the respective decision before France’s highest administrative court. Hence, this legal battle is still ongoing.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

By Katarina Zivkovic, Senior Associate, and Katarina Askic, Junior Associate, Samardzic, Oreski & Grbovic

SOG / Samardzic, Oreski & Grbovic at a Glance

SOG / Samardžić, Oreški & Grbović is a full service business law firm providing the highest quality legal advice across a wide range of key areas of corporate law in Serbia and the Western Balkans. We are particularly noted for legal expertise, high professional and ethical standards, attention to detail, and responsiveness. SOG is firmly committed to providing advice at the highest level and achieving lasting results for our clients.

In order to provide our regional and international clients having business interests in more than one jurisdiction, we have also established a strong regional presence through our partner offices in Bosnia & Herzegovina, Macedonia, and Montenegro. This way, our clients gain a full spectrum of support and the most up to date and nuanced advice on the business and regulatory environment across the entire region.

Firm's website: www.sog.rs