The French Data Protection Authority (CNIL) has issued two very significant fines for breach of the laws on the use of cookies. We consider if this marks a step change in the enforcement of cookie laws.

Fines of €135 million

At the end of 2020, the CNIL fined Amazon France Core €35 million, and Google LLC and Google Ireland Limited €100 million.

The fines are the product of various investigations, both online and on site, by the CNIL indicating that Google and Amazon automatically placed cookies for advertising purposes on users’ terminals without any action on the users’ part and without providing adequate prior information. Google also partially failed to implement an appropriate objection mechanism.

There are four key findings underpinning the fines.

1. Competence of the CNIL

In both decisions, the CNIL’s restricted committee decided the CNIL is materially and territorially competent to sanction cookies placed on the computers of users living in France:

• Materially, since the operations related to the use of cookies fall under the provisions of Article 82 of the French Data Protection Act (FDPA), transposing article 5(3) of the ePrivacy Directive (not the GDPR). Accordingly, the “one-stop shop” mechanism introduced by the GDPR does not apply.
• Territorially, since the placing of cookies results from activities of French subsidiaries of Google and Amazon promoting their products and services on French territory. This constitutes an establishment of the Google and Amazon’s groups and these subsidiaries fall within the territorial scope of application of Article 3 of the FDPA.

2. Failure to obtain consent

The CNIL’s restricted committee decided that Google and Amazon should have collected the consent of users before placing advertising cookies on the users’ terminals. These cookies need consent as their purpose is not to allow or facilitate communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user (Article 82 of the FDPA).

Both companies placed advertising cookies without any positive action on the users’ part, which necessarily prevented those users from expressing any valid consent. The CNIL reiterated that, in accordance with its latest decision on cookies^[1], simply continuing to browse is not considered to be a positive action constituting valid consent.

3. Failure to provide information

The CNIL's restricted committee considered that information relating to the placing of cookies on terminal equipment must be provided to users residing in France, whether they arrive directly at the site via the home page or via an advertisement published on a third-party site.

Google and Amazon were criticised for not providing users, upon arrival on the site, with clear information about the purposes of all the cookies placed on the users’ terminals and the means to refuse them. The CNIL thus concluded that Google and Amazon had acted in breach of Article 82 of the FDPA in that the information was not clear and complete.

4. Partially defective objection mechanism

Finally, the CNIL also found that cookies placed by Google remained on the user's terminal without being assigned the opt-out value. The CNIL concluded this was a breach of the obligation in Article 82 of the FDPA to set up an effective mechanism allowing users to reject the use of non-essential cookies.

A step change in sanctions

Those fines are the most significant sanction from the CNIL to date and demonstrate an intention to strictly enforce the rules on cookies.

In addition, in both decisions, the CNIL issued injunctions to comply with Article 82 of the FDPA within three months or face further fines of €100,000 per day until the cessation of the breach.

Google and Amazon now have four months to appeal the CNIL’s decisions to the highest administrative court in France, the Conseil d’Etat.

Compliance with guidelines and recommendations

The sanctions against Google and Amazon relate to breaches of obligations that existed before the CNIL issued new, stricter guidance in October 2020. This new guidance amongst other things insists on the need to collect consent via a positive act and limits the possibility to use the so called “cookies walls”.

However, the sanctions indicate that business should comply strictly with the CNIL amended guidelines and marks a turning point in sanctions for not doing so.

Position across the EU

This enforcement forms part of a general trend across the EU of data protection authorities either republishing new guidelines or sanctioning companies on cookies-related topics, albeit none as severely as the CNIL.

Italy - The Garante recently published the long-awaited draft guidelines on cookies and opened a public consultation to gather stakeholders’ views.

The new guidelines focus on analytics cookies and third-party cookies, the use of fingerprinting and other passive identifiers, the prohibition of cookie walls, as well as on the modalities of consent collection. In particular, a section is entirely dedicated to “scrolling” and its problematic compatibility with consent requirements, also in light of the guidelines on consent recently issued by the European Data Protection Board (EDPB).

With the new guidelines, the Garante will complement and, to some extent, replace its previous recommendations on cookies published in 2014 which have now become obsolete due to the rapid evolution of tracking technologies. To gather feedback on the guidelines, the Garante has launched a public consultation which will run until the middle of January 2021.

Spain - The AEPD has recently published its updated guidance on the use of cookies in light of the above-mentioned EDPB guidelines on consent.

The AEPD’s initial position had sparked controversy, as scrolling or continued browsing were seen as valid forms of consent. Nevertheless, the AEPD subsequently changed its position in line with the guidance of the EDPB that scrolling or swiping do not satisfy the requirement of a clear and affirmative action under the GDPR.

During the last few months, the AEPD has also taken enforcement actions against several multinational companies and imposed the highest fines available under Spanish laws for unlawful use of cookies (which are limited to a maximum amount of €30,000 in accordance with the Spanish Information Society Services and E-commerce Act that transposes the ePrivacy Directive into the Spanish legislation).