UNOFFICIAL ENGLISH TRANSLATION

FRENCH DATA PROTECTION AUTHORITY – NEWS

https://www.cnil.fr/fr/cookies-sanction-de-35-millions-deuros-lencontre-damazon-europe-core

Cookies: 35 million euro fine against AMAZON EUROPE CORE

10 December 2020

On December 7, 2020, the CNIL’s Restricted Committee sanctioned the company AMAZON EUROPE CORE with a fine of 35 million euros for having placed advertising cookies on the computers of users of amazon.fr website without prior consent or satisfactory information.

Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, concerning the amazon.fr website. These checks revealed that when a user visited the website, cookies were automatically placed on their computer, without any action on their part. Several of these cookies had an advertising objective.

Breaches of the Data Protection Act

The Restricted Committee, the CNIL body in charge of pronouncing sanctions, found two violations of Article 82 of the French Data Protection Act:

Placing of cookies without prior collection of the user’s consent

The Restricted Committee noted that when a user went to one of the pages of the amazon.fr website, a large number of advertising cookies were automatically placed on their computer, without any action on their part. However, the Restricted Committee recalled that this type of cookies, not essential to the service, could only be deposited after the Internet user had expressed their consent. It considered that the fact of placing cookies concomitantly with the arrival on the site was a practice which, by nature, was incompatible with prior consent.

A failure to inform users of the website amazon.fr

First of all, the Restricted Committee noted that in the case of an Internet user visiting the amazon.fr website, the information provided was neither clear nor complete.

It considered that the information banner displayed by the company, namely “By using this site, you accept our use of cookies to offer and improve our services. Learn more”, contained only a general and approximate description of the purposes of all placed cookies. In particular, it considered that when reading this banner, the user was not able to understand that the cookies placed on their computer had the main purpose of displaying personalized advertising. It also noted that the banner did not indicate to the user that they have the right to refuse these cookies and the means available to them for this purpose.

Second, the Restricted Committee noted that the company’s failure to meet its obligations was even more apparent in the case of users who visited the amazon.fr site after clicking on an ad published on another website. It emphasized that in this case, the same cookies were placed without any information delivered to the Internet users.

The sanction pronounced by the Restricted Committee

The Restricted Committee sanctions the company AMAZON EUROPE CORE to a fine of 35 million euros, which has been made public. The amount fined, as well as the public nature of the fine, are justified by the seriousness of the breaches observed.

Account was taken of the fact that until the overhaul of the amazon.fr website in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the information under conditions that complied with Article 82 of the Act. It noted that, whatever the path taken by the Internet user going to the site, they were either insufficiently informed or never informed of the placing of cookies on their computer. The Restricted Committee considered that in the case of users accessing the site amazon.fr after having clicked on an ad, the instant placing of cookies, combined with the absence of any information, was particularly prejudicial to the rights of Internet users.

In addition, even though the company’s main activity resides mainly in the sale of consumer goods, the personalization of ads, made possible in particular thanks to cookies, considerably increases the visibility of its products elsewhere on the web. Finally, given the central place occupied by the amazon.fr website in terms of online commerce, millions of people living in France visit the site daily and see cookies being placed on their computers.

The Restricted Committee took note of the recent changes made to the amazon.fr website and in particular the fact that cookies are now no longer placed before users has given their consent. It nevertheless considered that the new information banner deployed still did not allow Internet users residing in France to understand that cookies are mainly used to display advertising on the site.

Therefore, in addition to the administrative fine, the Restricted Committee has also adopted an injunction under penalty so that the company proceeds to inform the persons in accordance with Article 82 of the Data Protection Act within 3 months as from the notification of the decision. Otherwise, the company will be liable to a penalty payment of 100,000 euros per day of delay.

A competence of the CNIL

In its deliberation, the Restricted Committee recalled that the CNIL is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. It thus stressed that the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply in this procedure since operations related to the use of cookies fall under the “ePrivacy” directive, transposed in Article 82 of the French Data Protection Act.

It considered that the CNIL is also territorially competent under Article 3 of the Data Protection Act because the use of cookies is made within the “framework of activities” of the company AMAZON FRANCE which is the “establishment” on French territory of the company AMAZON EUROPE CORE and ensures the promotion of their products and services.

The articulation of the sanction with the work of the CNIL on cookies

As part of its action plan on advertising targeting and to take into account the entry into force of the GDPR, the CNIL published on October 1, 2020 its amending guidelines and a recommendation on the use of cookies and other tracers. The CNIL asked the actors to comply with the rules thus clarified, considering that this adaptation period should not exceed six months.

On this occasion, it nevertheless specified that it would continue to fully monitor compliance with the other obligations that have not been amended and, if necessary, to adopt corrective measures to protect the privacy of Internet users.

The obligations that the CNIL is sanctioning today regarding non-compliance by companies with the GDPR were pre-existing and are therefore not among those that have been clarified by the new guidelines and the recommendation of October 1, 2020.

Note: the company Amazon Europe Core is a company under Luxembourg law, part of the Amazon group and is responsible for the European “Amazon” websites, including the amazon.fr website.