The French data authority, CNIL, has fined Google and Amazon after investigations revealed that the tech giants were placing cookies on their websites, without the consent of consumers. In two orders, the CNIL placed a €100 million ($120 million) penalty on Google LLC and Google Ireland, and a €35 million ($42 million) on Amazon Europe.
Over the last few months, there has been increased scrutiny over Big Tech companies from regulators and legislatures across the world. The United States’ Department of Justice recently launched a lawsuit against Google and a coalition of states has come together to take on Facebook. Earlier in November, the European Commission launched an antitrust investigation into Amazon’s marketplace and retail practices in Germany and France, while Competition Commission of India has opened several investigations into Google, from its policies on the Play Store to alleged abuse of the smartphone Operating Systemm market, and in the smart TV market.
Violations by Amazon
In the case of Amazon, the restricted committee of the CNIL found that when users visited amazon.fr (French domain) a large number of cookies were automatically placed on their computer. The committee said these types of cookies for advertising purposes can only be placed after the user has expressed their consent, therefore the “deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.”
The CNIL also said that the information on amazon.fr was “neither clear, not complete” as the banner on the website only contained general information about the cookies on the website and did not explain how users could refuse these cookies. “Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that,” the order says.
It noticed that, no matter what path the users used to visit the website, they were either insufficiently informed or never informed of the fact that cookies were placed on their computer. In the case of users visiting the website amazon.fr after they had clicked on an advertisement, the restricted committee considered that the instant deposit of cookies, added to the absence of any information, was violating the internet users’ rights —CNIL order dated December 10, 2020
The CNIL noted that amazon.fr was redesigned in September this year and the new website does not place cookies prior to the consent of users. ” However, it considered that the new information banner set up still does not allow the users living in France to understand that the cookies are mainly used to propose personalized ads and that they were still not informed that they could refuse these cookies,” it said. The CNIL also ordered Amazon to inform individuals adequately within three months from the order, or the company would have to pay a €100,00 for each day of delay.
Violations by Google
The CNIL found that Google LLC and its subsidiary Google Ireland had violated three aspects the French Data Protection Act, compared to Amazons’ two breaches. Similar to Amazon, the CNIL found that several advertising related cookies were automatically placed on a users’ computer when they visited google.fr.
“Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service,” it said.
The CNIL found that whenever a user deactivated the ad personalization on the Google search, advertising cookies ‘was still stored on his or her computer and kept reading information aimed at the server to which it is attached. “Therefore, the restricted committee considered that the “opposition” mechanism set up by the companies was partially defective, breaching Article 82 of the French Data Protection Act,” it said.
While websites have stopped automatically placing advertising cookies when a user arrives on the page google.fr, since September 2020, the new information banner does not explain the purposes for which the cookies are used and does not let users know that they can refuse these cookies, it said.
In both Google and Amazon’s case, the CNIL also ordered them to “adequately inform individuals, in accordance with Article 82 of the French Data Protection Act, within three months after the notification of the decision. Otherwise, the company must pay a penalty payment of 100 000 euros for each day of delay.”
- France to levy digital service tax on tech giants: Report
- Japan joining EU, US in antitrust war on Big Tech: Report