December 10, 2020
UNOFFICIAL ENGLISH TRANSLATION
FRENCH DATA PROTECTION AUTHORITY – NEWS
Cookies: 35 million euro fine against AMAZON EUROPE CORE
10 December 2020
On December 7, 2020, the CNIL’s Restricted Committee sanctioned the company AMAZON EUROPE CORE with a fine of 35 million euros for having placed advertising cookies on the computers of users of amazon.fr website without prior consent or satisfactory information.
Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, concerning the amazon.fr website. These checks revealed that when a user visited the website, cookies were automatically placed on their computer, without any action on their part. Several of these cookies had an advertising objective.
Breaches of the Data Protection Act
The Restricted Committee, the CNIL body in charge of pronouncing sanctions, found two violations of Article 82 of the French Data Protection Act:
Placing of cookies without prior collection of the user’s consent
The Restricted Committee noted that when a user went to one of the pages of the amazon.fr website, a large number of advertising cookies were automatically placed on their computer, without any action on their part. However, the Restricted Committee recalled that this type of cookies, not essential to the service, could only be deposited after the Internet user had expressed their consent. It considered that the fact of placing cookies concomitantly with the arrival on the site was a practice which, by nature, was incompatible with prior consent.
A failure to inform users of the website amazon.fr
First of all, the Restricted Committee noted that in the case of an Internet user visiting the amazon.fr website, the information provided was neither clear nor complete.
Second, the Restricted Committee noted that the company’s failure to meet its obligations was even more apparent in the case of users who visited the amazon.fr site after clicking on an ad published on another website. It emphasized that in this case, the same cookies were placed without any information delivered to the Internet users.
The sanction pronounced by the Restricted Committee
The Restricted Committee sanctions the company AMAZON EUROPE CORE to a fine of 35 million euros, which has been made public. The amount fined, as well as the public nature of the fine, are justified by the seriousness of the breaches observed.
Account was taken of the fact that until the overhaul of the amazon.fr website in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the information under conditions that complied with Article 82 of the Act. It noted that, whatever the path taken by the Internet user going to the site, they were either insufficiently informed or never informed of the placing of cookies on their computer. The Restricted Committee considered that in the case of users accessing the site amazon.fr after having clicked on an ad, the instant placing of cookies, combined with the absence of any information, was particularly prejudicial to the rights of Internet users.
In addition, even though the company’s main activity resides mainly in the sale of consumer goods, the personalization of ads, made possible in particular thanks to cookies, considerably increases the visibility of its products elsewhere on the web. Finally, given the central place occupied by the amazon.fr website in terms of online commerce, millions of people living in France visit the site daily and see cookies being placed on their computers.
The Restricted Committee took note of the recent changes made to the amazon.fr website and in particular the fact that cookies are now no longer placed before users has given their consent. It nevertheless considered that the new information banner deployed still did not allow Internet users residing in France to understand that cookies are mainly used to display advertising on the site.
Therefore, in addition to the administrative fine, the Restricted Committee has also adopted an injunction under penalty so that the company proceeds to inform the persons in accordance with Article 82 of the Data Protection Act within 3 months as from the notification of the decision. Otherwise, the company will be liable to a penalty payment of 100,000 euros per day of delay.
A competence of the CNIL
The articulation of the sanction with the work of the CNIL on cookies
On this occasion, it nevertheless specified that it would continue to fully monitor compliance with the other obligations that have not been amended and, if necessary, to adopt corrective measures to protect the privacy of Internet users.
The obligations that the CNIL is sanctioning today regarding non-compliance by companies with the GDPR were pre-existing and are therefore not among those that have been clarified by the new guidelines and the recommendation of October 1, 2020.
Note: the company Amazon Europe Core is a company under Luxembourg law, part of the Amazon group and is responsible for the European “Amazon” websites, including the amazon.fr website.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!