France’s data regulator today announced it had fined Google 100 million euros and Amazon 35 million euros – around AU$219 million – for placing advertising cookies on users’ computers without consent.

The french regulator, CNIL, conducted investigations into the tech giants between December last year and May regarding their french homepages. It found when users visited the sites Google and Amazon planted cookies on their computer without collecting consent – a breach of the French Data Protection Act.

Internet companies like Amazon and Google place cookies on users’ computers to store their preferences and reduce the requirement to re enter information. But the cookies – actually small pieces of code – can also collect information on users browsing behaviour which can be used to sell targeted advertising.

For years companies have skirted consent laws, often relying on catch all terms and implied consent.

Europe’s top court, the Court of Justice of the European Union, clarified in October 2019 that consent must be obtained for storing or accessing non-essential cookies.

The CNIL has previously fined Google 50 million euros (AU$79 million) for failing to comply with GDPR by not providing users enough transparency around its advertising.

The search giant has also received GDPR complaints this year about its advertising tracking on mobiles.

Cut the cookies

Under french law websites must first obtain user permission before placing cookies. Google and Amazon’s failure to do so constituted part of a serious breach of the law.

Google and Amazon also failed to provide users with adequate information about the cookies, which likely affected millions of users, according to the CNIL. 

The regulator says the privacy options banner Google showed French users had two buttons: “Remind me later” and “Access now” but did not include information on the cookies that had been automatically downloaded.

Amazon’s banner displayed the message “By using this website, you accept our use of cookies allowing us to offer and improve our services. Read More” but did not include enough information on the cookies purpose or let users know they could opt out.

The lack of consent and adequate information earned Amazon a 35 million euro fine.

Google had additionally failed to offer an effective “opposition” mechanism because even after opting out of the personalised ads some cookies were still stored on the computer and continued to collect information.

CNIL fined Google LLC and Google Ireland Limited a total of 100 million euros. The companies must correct the practice and inform affected individuals within three months or face an additional 100 000 euros for each day of delay. 

The regulator says the large fines are justified because of the reach of the tech giants and the amount of money they make from advertising, directly in the case of Google or indirectly in the case of Amazon which mainly sells consumer goods (although its ad business is growing quickly).

Previous post

Basiq offers open banking data holder compliance through Mulesoft partnership

Next post

Amazon backs more renewable power with Victorian wind farm deal