UNOFFICIAL ENGLISH TRANSLATION

FRENCH DATA PROTECTION AUTHORITY – NEWS

https://www.cnil.fr/fr/cookies-sanction-de-60-millions-deuros-lencontre-de-google-llc-et-de-40-millions-deuros-lencontre-de 

Cookies: €60 million fine against GOOGLE LLC and €40 million fine against GOOGLE IRELAND LIMITED

10 December 2020

On December 7, 2020, the CNIL’s Restricted Committee sanctioned the companies GOOGLE LLC and GOOGLE IRELAND LIMITED with a total fine of 100 million euros, specifically for having placed advertising cookies on the computers of users of the search engine google.fr without prior consent or satisfactory information.

On March 16, 2020, the CNIL carried out an online check on the website google.fr which revealed that when a user visited the website, cookies were automatically placed on their computer, without any action on their part. Several of these cookies had an advertising objective.

Breaches of the Data Protection Act

The Restricted Committee, the CNIL body in charge of pronouncing sanctions, found three violations of Article 82 of the French Data Protection Act:

Placing of cookies without prior collection of the user’s consent

When a user visited the google.fr website, several cookies with an advertising purpose were automatically placed on the user’s computer without any action on their part.

As this type of cookie could not be placed without the user’s consent, the Restricted Committee considered that the companies had not complied with the requirement set forth in Article 82 of the French Data Protection Act to obtain prior consent before placing cookies that were not essential to the service.

A failure to inform users of the search engine google.fr

When a user visited the google.fr website, an information banner was displayed at the bottom of the page, bearing the following words “Reminder regarding Google’s privacy policy” in front of which were two buttons entitled “Remind me later” and “Consult now”.

This banner did not provide the user with any information about the cookies that had already been placed on their computer when they arrived on the website. Nor was this information provided to the user when they clicked on the “Consult Now” button.

The Restricted Committee therefore considered that the information provided by the companies did not allow users residing in France to be previously and clearly informed about the placing of cookies on their computer and, consequently, about the objectives of these cookies and the means made available to them as to the possibility of refusing them.

The partial failure of the “opposition” mechanism

When a user disabled the personalization of Google search ads using the mechanism available to them from the “Consult Now” button, one of the ad cookies would remain stored on their computer and continue to read information to the server to which it was attached.

The panel therefore considered that the “opposition” mechanism put in place by the companies was partially defective, in violation of Article 82 of the French Data Protection Act.

The sanction pronounced by the Restricted Committee

The Committee sanctioned the company GOOGLE LLC with a fine of 60 million euros and the company GOOGLE IRELAND LIMITED with a fine of 40 million euros, which were made public.

The Committee justified these amounts in view of the seriousness of the aforementioned triple breach of Article 82 of the French Data Protection Act.

It also highlighted the reach of the Google Search search engine in France and the fact that the companies’ practices affected nearly fifty million users.

Finally, the Committee pointed out the considerable benefits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies.

The Committee noted that, since an update in September 2020, companies have stopped automatically placing advertising cookies as soon as the user arrives on the google.fr page.

It nevertheless noted that the new information banner implemented by the companies upon arrival on the google.fr page still did not allow users residing in France to understand the purposes for which cookies are used and did not inform them of the fact that they could refuse these cookies.

Therefore, in addition to administrative fines, the Restricted Committee also adopted an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the Data Protection Act within 3 months of the notification. Otherwise, the companies will be liable to a penalty payment of 100,000 euros per day of delay.

A competence of the CNIL

In its deliberation, the Restricted Committee recalled that the CNIL is materially competent to control and sanction cookies placed by companies on the computers of users residing in France. It thus stressed that the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply in this procedure since operations related to the use of cookies fall under the “ePrivacy” directive, implemented in Article 82 of the French Data Protection Act.

It considered that the CNIL is also territorially competent under Article 3 of the Data Protection Act because the use of cookies is made within the “framework of activities” of the company GOOGLE FRANCE which is the “establishment” on French territory of GOOGLE LLC and GOOGLE IRELAND LIMITED and promotes their products and services.

It also considered that the companies GOOGLE LLC and GOOGLE IRELAND LIMITED are jointly responsible since they both determine the purposes and means related to the use of cookies.

The articulation of the sanction with the work of the CNIL on cookies

As part of its action plan on advertising targeting and to take into account the entry into force of the GDPR, the CNIL published on October 1, 2020 its amending guidelines and a recommendation on the use of cookies and other tracers. The CNIL asked the actors to comply with the rules thus clarified, considering that this adaptation period should not exceed six months.

On this occasion, it nevertheless specified that it would continue to fully monitor compliance with the other obligations that have not been amended and, if necessary, to adopt corrective measures to protect the privacy of Internet users.

The obligations that the CNIL is sanctioning today regarding non-compliance by companies with the GDPR were pre-existing and are therefore not among those that have been clarified by the new guidelines and the recommendation of October 1, 2020.

Note: The company GOOGLE LLC, based in California, develops the search engine Google Search. GOOGLE IRELAND LIMITED, based in Ireland, is the European headquarters of the Google Group. The company GOOGLE FRANCE is the establishment in France of the company GOOGLE LLC.