France’s data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.
The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.
In Google’s case the CNIL has found three consent violations related to dropping non-essential cookies.
“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice [which we’ve translated from French].
Amazon was found to have made two violations, per the CNIL penalty notice.
CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.
Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.
The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time sites that failed to ask for consent to track were risking a big fine under EU privacy laws.
Google and Amazon are now finding that out to their cost, it seems.
We’ve reached out to Amazon and Google for comment on the CNIL’s action.
In Google’s case the CNIL also found that when a user selected to deactivate personalized advertising — via an option that Google’s cookie notice presented them with — the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.
This story is developing — refresh for updates…