Cookies: financial penalty of 35 million euros imposed on the company AMAZON EUROPE CORE
On 7 December 2020, the CNIL’s restricted committee, which is responsible for imposing sanctions, fined the company AMAZON EUROPE CORE 35 million euros for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information.
From 12 December 2019 to 19 May 2020, the CNIL conducted several investigations, including online investigations, regarding the website amazon.fr. These investigations allowed to observe that when a user visited the website, cookies were automatically placed on his or her computer, without any action required on his or her part. Several of these cookies were used for advertising purposes.
Breaches of the French Data Protection Act
The CNIL’s restricted committee, which is responsible for imposing sanctions, noticed two breaches of Article 82 of the French Data Protection Act:
Deposit of cookies without obtaining the prior consent of the user
The restricted committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part. Yet, the restricted committee recalled that this type of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.
Lack of information provided to the users of the website amazon.fr
First, the restricted committee noted that, in the case of a user visiting the website amazon.fr, the information provided was neither clear, nor complete.
Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that.
The sanction imposed by the restricted committee
The restricted committee imposed a fine of 35 million euros to the company AMAZON EUROPE CORE and decided to makes it public. The amount of the fine, and the decision to make it public, are justified by the seriousness of the breaches observed.
It was taken into account that, until the redesign of the website amazon.fr in September 2020, the company was placing cookies on the computers of users living in France, without providing them with information, in accordance with Article 82 of the Act. It noticed that, no matter what path the users used to visit the website, they were either insufficiently informed or never informed of the fact that cookies were placed on their computer. In the case of users visiting the website amazon.fr after they had clicked on an advertisement, the restricted committee considered that the instant deposit of cookies, added to the absence of any information, was violating the internet users’ rights.
The restricted committee duly noted the recent developments made on the site amazon.fr and in particular the fact that now, no cookie is placed before the consent of the user. However, it considered that the new information banner set up still does not allow the users living in France to understand that the cookies are mainly used to propose personalized ads and that they were still not informed that they could refuse these cookies.
As a consequence, in addition to the financial penalty, the restricted committee also ordered the company to adequately inform individuals, in accordance with Article 82 of the French Data Protection Act, within three months after the notification of the decision. Otherwise, the company must pay a penalty payment of 100 000 euros for each day of delay.
The competence of the CNIL
The link between the sanction and the work of the CNIL on cookies
On this occasion, the CNIL however added that it will keep fully controlling compliance with the other obligations that have not been modified and, if necessary, adopting corrective measures to protect the privacy of internet users.
The CNIL punishes today the breach, by the company AMAZON EUROPE CORE, of obligations that existed before the GDPR and were therefore not concerned by the new guidelines and the recommendation of 1st October 2020.
NB : The company Amazon Europe Core is a company incorporated under Luxembourgish law, that is part of the Amazon group and is responsible of the European websites “Amazon”, whose internet website is Amzon.fr.