Cordery

Legal.Compliance.

Client Alert: French DP Regulator CNIL, reveals decisions of Cookies Investigation

Introduction

The French DP Regulator, Commission nationale de l’informatique et des libertés (CNIL) announced a brace of decisions as a result of Cookies Investigations. In total, they levied fines of €135m against Google and Amazon.

What was the case against Google about?

CNIL said that they started an investigation into Google’s French website on 16 March 2020 and found that when a user visited the website, cookies were automatically placed on their computer. Some of these cookies were for advertising purposes.

CNIL determined that this was a breach of French data protection law as the cookies were not essential to the delivery of Google service. They also said that Google service lacked transparency as whilst there were privacy reminders on Google’s website, the cookies arrived before a visitor was able to see those terms.

What was the sanction against Google?

CNIL imposed a financial penalty of €60m on Google LLC and €40m on Google Ireland Ltd. CNIL also noted that Google had updated its practices in September 2020 but it felt that these changes were not enough and CNIL also ordered Google to improve its transparency within 3 months. If it fails to do so, it will be subject to an additional penalty of €100k per day.

What about one-stop shop

The one-stop-shop mechanism for GDPR has been under pressure since GDPR came in. CNIL previously took action against Google in 2019. You can see our alert and film on that case here https://www.corderycompliance.com/french-data-protection-authority-fines-google-e50m-for-violations/ Since then there have been protracted proceedings through the French authorities to try and determine the jurisdiction of CNIL over Google and Google partially restructured its operations.

CNIL felt that it was competent to decide this case despite one-stop shop in part as the use of cookies falls under the ePrivacy Directive rather than under GDPR. CNIL also felt that Google LLC and Google Ireland Ltd were jointly responsible since they both determined the purposes and related to the use of cookies.

 What was the Amazon case about?

CNIL conducted an investigation into Amazon between 12 December 2019 and 19 May 2020. Again it looked at the French Amazon website – amazon.fr – the criticisms at Amazon was similar to those that CNIL had about Google’s French website. It said that Amazon was not specific about the cookies placed and it only gave general information about the use of cookies.

What was CNIL’s penalty against Amazon?

CNIL imposed a fine of €35m. Amazon redesigned its French website in September 2020 but again CNIL felt that this redesign did not fix the problem. There were improvements but the transparency requirements were still not met. Again, CNIL ordered Amazon to make changes within three months of the decision and in default, CNIL will levy an additional penalty of €100k per day.

CNIL decided again that GDPR one-stop shop did not apply for similar reasons.

What happens next?

CNIL have said that these activities are part of a concerted effort regarding the use of cookies and tracking devices. We can expect more cases.

Lessons learned

It is clear that CNIL has cookie compliance in its sights. These are the latest and biggest cases but CNIL has had other cookies investigations in the past and we can expect more to come. There are proposals to change EU cookies laws to bring them more into line with GDPR but it is clear that CNIL does not intend to wait.

Every organisation should make sure that it keeps on top of cookie laws. This is likely to include a review of the cookies that it uses and a concentration on being open and honest with visitors to a website about their use.

Cordery’s cookie compliance solutions could help https://www.corderycompliance.com/more-cordery-solutions/cookie-selection/

There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.