France: CNIL fines Google and Google Ireland €100M for cookie violations on google.fr
The French data protection authority ('CNIL') announced, on 10 December 2020, that it had issued, on 7 December 2020, two fines totalling €100 million against Google LLC and Google Ireland Limited for cookie violations. In particular, CNIL outlined that it had, on 16 March 2020, completed an audit of google.fr which revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.
Specifically, CNIL highlighted three violations of Article 82 of the Act No.78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (as amended to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) ('the Act'). Firstly, CNIL noted that cookies for marketing purposes, which are non-essential for the provision of Google's services, were automatically placed on the users' equipment without their prior consent. Secondly, CNIL found that the information banner was accompanied by two buttons to 'Remind me later' and 'Access now', which does not provide the user with any information in relation to the automatic placement of cookies on the users' equipment. Thirdly, CNIL indicated that the opt-out mechanism was partially defective, considering that, when a user deactivated personalised ads through the 'Consult now' button, one of the advertisement cookies remained on their computer and as such continued to read their information.
CNIL has also announced a fine of €35 million against Amazon Europe Core Sarl for cookie violations.
You can read the press release here and the deliberation, only available in French, here.