CNIL fines US tech giants following cookies sweep
Locations
On 7 December 2020, the French data protection authority (CNIL) imposed heavy fines against Google LLC, Google Ireland Ltd and Amazon Europe for a total amount of €135M. The fines are based on a violation of the so-called "cookies rules" as implemented under French law. The CNIL also ordered Google and Amazon to take corrective measures on their websites within 3 months. In so doing, the CNIL continues to take the lead as one of the stronger EU enforcement bodies and confirms its intention to enforce French cookie rules against large US tech giants.
How was the CNIL able to enforce despite the one-stop shop mechanism?
The GDPR establishes a complex consistency and cooperation mechanism known as the "one-stop shop" which enables to determine which supervisory authority is competent for enforcing the GDPR on cross-border processing.
Google and Amazon claimed that the one-stop shop applied to them and as a result, the Irish and the Luxembourgish data protection authorities were competent to supervise their activities. Google argued that in order to avoid a fragmentation of the decisions delivered by EU authorities on cookies (see our related post), it should be enforced as any other GDPR matter. According to Amazon, the use of cookies necessarily involves the processing of personal data, and therefore it falls within the material scope of both the ePrivacy Directive and the GDPR. The CNIL did not agree with these arguments and relied instead on recital 173 of the GDPR and on the Court of Justice of the EU's ruling in the Planet49 case to argue that the one-stop shop did not apply.
The CNIL also referred to Article 15bis of the ePrivacy Directive which gives Member States the power to enforce the provisions of the ePrivacy Directive. In France, Article 5(3) of the ePrivacy Directive was implemented under Article 82 of the French Data Protection Act ("French ePrivacy Rule") as follows: "Any (…) user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed beforehand by the controller (…): 1° about the purpose of [cookies or online trackers] ; 2° the means at his or her disposal to object to it. Such access or storing of information may only take place on condition that the (…) user has expressed his or her consent, after receiving this information (…)". According to the CNIL, dropping cookies on the devices of Google or Amazon users residing in France falls within the scope of the French ePrivacy Rule. The CNIL found that Google Ireland Ltd and US-based Google LLC were jointly responsible for this cookie processing. Similarly, the EU headquarters of Amazon, based in Luxembourg, was responsible.
The CNIL further stated that the European Data Protection Board itself considered in its opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR that GDPR mechanisms did not apply to the ePrivacy Directive.
The CNIL therefore asserted its competence to enforce the French ePrivacy Rule, regardless of the one-stop shop.
What cookie violations did the CNIL find?
1. Lack of prior information about cookies and the possibility to refuse cookies
Google failed to inform Google Search users about the existence of cookies on Google.fr, their purposes and how users could refuse them. The banner displayed on the website only mentioned that further information was accessible on another page entitled "Confidentiality Rules" without explicitly referring to cookies. The information relating to cookies was very difficult to access, as users had to scroll down the Confidentiality Rules to click on "other options". Google did modify its banner during the CNIL proceedings to insert an explicit reference to cookies, a general description of their purposes and "further options" and "more information" buttons. In the CNIL's opinion, these corrective measures were insufficient because Google had failed to specify all the cookie purposes and the available means to reject these cookies.
Amazon provided either incomplete information about cookies – or no information at all. In that regard, the CNIL considered that the cookie used for the purpose of "offering and improving our services" did not make users aware of the cookies that were used for targeted ads. The "Adchoice" icon displayed on ads was also deemed insufficient. In addition, the banner used on Amazon's website did not inform users about how they could reject cookies. Lastly, a "cookie" hyperlink inserted at the bottom of webpages does not amount to prior information.
2. Lack of prior user consent for advertising cookies
During the online inspections, the CNIL found that Google and Amazon were automatically setting advertising cookies, as soon as users started browsing Google Search or Amazon.fr. More specifically, Amazon's cookie banner inferred consent from further browsing. The CNIL unsurprisingly confirmed that advertising cookies required users' prior consent. However, both Google and Amazon interrupted this practice over the course of the proceedings.
3. Failure to effectively take into account users' objection to cookies
According to the CNIL, Google also failed to offer users an efficient means to object to cookies. Users could turn off the "Personalise ads" feature. Yet, despite the deactivation of this feature, Google was still dropping an advertising cookie.
4. Administrative fines and injunction orders.
The CNIL imposed a fine of €60M on Google LLC, €40M on Google Ireland Limited and €35M on Amazon. The cookie violations affected 55M Google Search users in France and enabled Amazon to collect 300M cookie IDs. The CNIL argued that both Google and Amazon had made significant profit, since their business model was based on tracking users. These two factors were deemed by the CNIL as aggravating circumstances, along with the fact that it deprived users of their choices.
The CNIL also ordered Google and Amazon to adequately inform users about cookies and were given 3 months to implement corrective measures. If they fail to do so, they will have to pay a daily penalty fee of 100.000€. Google and Amazon can challenge the CNIL's decision before the French State Council ("Conseil d'Etat").
What are the key takeaways? How should website publishers comply?
Pressure on website publishers. Google and Amazon are giant players in the advertising chain, and they provide a whole range of services to advertisers or website publishers. The CNIL's decision does not analyse the entire advertising ecosystem with all its complexities, but rather focuses only the types of cookies that are dropped on the Google.fr and Amazon.fr websites. The CNIL did not analyse, for example, how cookie data is then disclosed to adtech intermediaries or advertisers. As a result, the CNIL focused its enforcement strategy on website publishers, which ultimately puts a lot of pressure on them.
Many websites still do not comply with the French ePrivacy Rule. The CNIL enforced the notice and consent requirements that are explicitly enshrined in the French ePrivacy Rule. However, the reality is that many – if not most – websites still do not comply with these requirements. Many website publishers knowingly choose a risk-based approach not to comply or are passively adopting a "wait-and-see" approach. In light of the intensifying enforcement actions we are seeing, website publishers would be well advised to re-assess the risk of not complying and to adjust their Consent Management Platforms accordingly to comply with the French ePrivacy Rule.
The CNIL's eagerness for enforcement. Last November, the CNIL fined two Carrefour entities for similar cookie violations. In the Carrefour decisions, the CNIL initiated investigations following complaints from customers. Even though the complaints did not relate to cookies, the CNIL decided to extend its investigation to the compliance of Carrefour's websites. In the Google and Amazon decisions, the CNIL carried out online investigations on its own initiative, without previous user complaints. This clearly shows a trend to proactively enforce cookie rules regardless of whether there are complaints from users. It is worth recalling that the CNIL did make cookies compliance one of its top three priorities as part of its enforcement strategy in 2020.
Should we expect more enforcement in 2021?
The CNIL has now repealed its outdated guidance on cookies dating from 2013 and adopted new guidance in 2019-2020. Starting from March 2021, the grace period that was granted by CNIL following the adoption of the new guidance will come to an end and the CNIL will start enforcing its new cookie guidance. In light of these recent regulatory changes, one can expect the CNIL to continue to carry out online inspections in 2021.
Now may be a good time for companies to audit their websites and verify what types of cookies they are using in preparation of possible upcoming online investigations.
How was the CNIL able to enforce despite the one-stop shop mechanism?
The GDPR establishes a complex consistency and cooperation mechanism known as the "one-stop shop" which enables to determine which supervisory authority is competent for enforcing the GDPR on cross-border processing.
Google and Amazon claimed that the one-stop shop applied to them and as a result, the Irish and the Luxembourgish data protection authorities were competent to supervise their activities. Google argued that in order to avoid a fragmentation of the decisions delivered by EU authorities on cookies (see our related post), it should be enforced as any other GDPR matter. According to Amazon, the use of cookies necessarily involves the processing of personal data, and therefore it falls within the material scope of both the ePrivacy Directive and the GDPR. The CNIL did not agree with these arguments and relied instead on recital 173 of the GDPR and on the Court of Justice of the EU's ruling in the Planet49 case to argue that the one-stop shop did not apply.
The CNIL also referred to Article 15bis of the ePrivacy Directive which gives Member States the power to enforce the provisions of the ePrivacy Directive. In France, Article 5(3) of the ePrivacy Directive was implemented under Article 82 of the French Data Protection Act ("French ePrivacy Rule") as follows: "Any (…) user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed beforehand by the controller (…): 1° about the purpose of [cookies or online trackers] ; 2° the means at his or her disposal to object to it. Such access or storing of information may only take place on condition that the (…) user has expressed his or her consent, after receiving this information (…)". According to the CNIL, dropping cookies on the devices of Google or Amazon users residing in France falls within the scope of the French ePrivacy Rule. The CNIL found that Google Ireland Ltd and US-based Google LLC were jointly responsible for this cookie processing. Similarly, the EU headquarters of Amazon, based in Luxembourg, was responsible.
The CNIL further stated that the European Data Protection Board itself considered in its opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR that GDPR mechanisms did not apply to the ePrivacy Directive.
The CNIL therefore asserted its competence to enforce the French ePrivacy Rule, regardless of the one-stop shop.
What cookie violations did the CNIL find?
1. Lack of prior information about cookies and the possibility to refuse cookies
Google failed to inform Google Search users about the existence of cookies on Google.fr, their purposes and how users could refuse them. The banner displayed on the website only mentioned that further information was accessible on another page entitled "Confidentiality Rules" without explicitly referring to cookies. The information relating to cookies was very difficult to access, as users had to scroll down the Confidentiality Rules to click on "other options". Google did modify its banner during the CNIL proceedings to insert an explicit reference to cookies, a general description of their purposes and "further options" and "more information" buttons. In the CNIL's opinion, these corrective measures were insufficient because Google had failed to specify all the cookie purposes and the available means to reject these cookies.
Amazon provided either incomplete information about cookies – or no information at all. In that regard, the CNIL considered that the cookie used for the purpose of "offering and improving our services" did not make users aware of the cookies that were used for targeted ads. The "Adchoice" icon displayed on ads was also deemed insufficient. In addition, the banner used on Amazon's website did not inform users about how they could reject cookies. Lastly, a "cookie" hyperlink inserted at the bottom of webpages does not amount to prior information.
2. Lack of prior user consent for advertising cookies
During the online inspections, the CNIL found that Google and Amazon were automatically setting advertising cookies, as soon as users started browsing Google Search or Amazon.fr. More specifically, Amazon's cookie banner inferred consent from further browsing. The CNIL unsurprisingly confirmed that advertising cookies required users' prior consent. However, both Google and Amazon interrupted this practice over the course of the proceedings.
3. Failure to effectively take into account users' objection to cookies
According to the CNIL, Google also failed to offer users an efficient means to object to cookies. Users could turn off the "Personalise ads" feature. Yet, despite the deactivation of this feature, Google was still dropping an advertising cookie.
4. Administrative fines and injunction orders.
The CNIL imposed a fine of €60M on Google LLC, €40M on Google Ireland Limited and €35M on Amazon. The cookie violations affected 55M Google Search users in France and enabled Amazon to collect 300M cookie IDs. The CNIL argued that both Google and Amazon had made significant profit, since their business model was based on tracking users. These two factors were deemed by the CNIL as aggravating circumstances, along with the fact that it deprived users of their choices.
The CNIL also ordered Google and Amazon to adequately inform users about cookies and were given 3 months to implement corrective measures. If they fail to do so, they will have to pay a daily penalty fee of 100.000€. Google and Amazon can challenge the CNIL's decision before the French State Council ("Conseil d'Etat").
What are the key takeaways? How should website publishers comply?
Pressure on website publishers. Google and Amazon are giant players in the advertising chain, and they provide a whole range of services to advertisers or website publishers. The CNIL's decision does not analyse the entire advertising ecosystem with all its complexities, but rather focuses only the types of cookies that are dropped on the Google.fr and Amazon.fr websites. The CNIL did not analyse, for example, how cookie data is then disclosed to adtech intermediaries or advertisers. As a result, the CNIL focused its enforcement strategy on website publishers, which ultimately puts a lot of pressure on them.
Many websites still do not comply with the French ePrivacy Rule. The CNIL enforced the notice and consent requirements that are explicitly enshrined in the French ePrivacy Rule. However, the reality is that many – if not most – websites still do not comply with these requirements. Many website publishers knowingly choose a risk-based approach not to comply or are passively adopting a "wait-and-see" approach. In light of the intensifying enforcement actions we are seeing, website publishers would be well advised to re-assess the risk of not complying and to adjust their Consent Management Platforms accordingly to comply with the French ePrivacy Rule.
The CNIL's eagerness for enforcement. Last November, the CNIL fined two Carrefour entities for similar cookie violations. In the Carrefour decisions, the CNIL initiated investigations following complaints from customers. Even though the complaints did not relate to cookies, the CNIL decided to extend its investigation to the compliance of Carrefour's websites. In the Google and Amazon decisions, the CNIL carried out online investigations on its own initiative, without previous user complaints. This clearly shows a trend to proactively enforce cookie rules regardless of whether there are complaints from users. It is worth recalling that the CNIL did make cookies compliance one of its top three priorities as part of its enforcement strategy in 2020.
Should we expect more enforcement in 2021?
The CNIL has now repealed its outdated guidance on cookies dating from 2013 and adopted new guidance in 2019-2020. Starting from March 2021, the grace period that was granted by CNIL following the adoption of the new guidance will come to an end and the CNIL will start enforcing its new cookie guidance. In light of these recent regulatory changes, one can expect the CNIL to continue to carry out online inspections in 2021.
Now may be a good time for companies to audit their websites and verify what types of cookies they are using in preparation of possible upcoming online investigations.