We’re not talking Christmas cookies, here!  France’s data protection agency, the Commission nationale de l’informatique et des libertés (CNIL), has slapped Google and Amazon with fines of over $160 million for dropping tracking cookies without consent.

According to TechCrunch (France fines Google $120M and Amazon $42M for dropping tracking cookies without consent, written by Natasha Lomas), Google has been hit with a total of €100 million ($120 million) for dropping cookies on Google.fr and Amazon €35 million (~$42 million) for doing so on the Amazon.fr domain under the penalty notices issued last week.

The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.

In Google’s case the CNIL found three consent violations related to dropping non-essential cookies.

“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice.

In Google’s case the CNIL also found that when a user selected to deactivate personalized advertising — via an option that Google’s cookie notice presented them with — the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.  The CNIL’s penalty for Google breaks down into a fine of €60 million for Google LLC and €40 million for Google Ireland Ltd.

Per the CNIL’s investigation, Google stopped automatically dropping the ad cookies on the Google.fr domain after an update in September 2020. However it said a new cookie notice that’s presenting to arriving users still does not provide adequate information about what the cookies are used for nor inform users they can refuse these non-essential cookies.

Because of this the CNIL has also hit Google with an injunction — giving it three months to correct the cookie notices so they provide the required information to users or Google is risking further fines of €100,000 per day until the violation stops.

Amazon was found to have made two violations, per the CNIL penalty notice.

CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.

Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.

In Amazon’s case its French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.

This is the second fine for Google from the CNIL – they were previously fined $57 million, back in 2019 — also for failing transparency requirements. That case was related to complaints filed under the EU’s General Data Protection Regulation (GDPR).

In case you ever wondered why pretty much every site you visit these days asks for consent regarding their cookies, this is why.  And fines like this are also why organizations are having to change how they capture and track personal data.  Are fines of $162 million getting serious about data protection?  Oui, oui!

So, what do you think?  Are you surprised at the size of the fines?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.