The French data protection authority ('CNIL') announced, on 10 December 2020, that it had issued, on 7 December 2020, two fines totalling €100 million against Google LLC and Google Ireland Limited for cookie violations. In particular, CNIL outlined that it had, on 16 March 2020, completed an audit of google.fr which revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.

Specifically, CNIL highlighted three violations of Article 82 of the Act No.78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (as amended to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) ('the Act'). Firstly, CNIL noted that cookies for marketing purposes, which are non-essential for the provision of Google's services, were automatically placed on the users' equipment without their prior consent. Secondly, CNIL found that the information banner was accompanied by two buttons to 'Remind me later' and 'Access now', which does not provide the user with any information in relation to the automatic placement of cookies on the users' equipment. Thirdly, CNIL indicated that the opt-out mechanism was partially defective, considering that, when a user deactivated personalised ads through the 'Consult now' button, one of the advertisement cookies remained on their computer and as such continued to read their information.

As a result, CNIL imposed a fine of €60 million against Google LLC, as the developer of the Google Search engine, and €40 million against Google Ireland Limited, Google's European headquarters, which CNIL found to be jointly responsible in determining the purposes and manner in which cookies are utilised. In the calculation of the fine, CNIL stated that it had considered factors such as the severity of committing three violations of the Act, the impact on 50 million users of Google Search, the financial gain indirectly generated by the collection of personal data through advertising cookies, and the fact that, since an update from September 2020, advertising cookies are no longer automatically placed on user equipment from arrival to google.fr. Lastly, CNIL added that, as the six month transition period for its guidelines and recommendations on the use of cookies and other trackers has not yet expired, the deliberation does not pertain to non-compliance with these.

CNIL has also announced a fine of €35 million against Amazon Europe Core Sarl for cookie violations.

You can read the press release here and the deliberation, only available in French, here.