By Robert Bateman
France’s data-protection authority has hit Google and Amazon with fines totaling $163 million over the tech giants’ use of tracking cookies online.
Google’s $121 million fine and Amazon’s fine of $42 million were imposed Dec. 7 by France’s Commission Nationale de l’Informatique et des Libertés (CNIL).
CNIL enforces privacy laws, such as the EU General Data Protection Regulation (GDPR), France’s Data Protection Act and the ePrivacy Directive, which sets the rules on cookies use across the EU.
According to Dec. 10 statements on CNIL’s website, Google and Amazon’s websites placed cookies on user devices without proper notice and without requesting consent.
Google’s actions alone were found to have affected around 50 million people in France.
A ‘Cookie Banner’
EU law requires website operators to seek opt-in consent before placing tracking cookies on user devices. Both tech firms displayed a “cookie banner,” ostensibly seeking consent for cookies, but these notifications were found to violate privacy law.
“It is made clear that tracking users without any form of permission is wrong. However, the problem is far from solved.”Finn Myrstad, Norwegian Consumer Council.
Google did not respond to a request for comment. An Amazon spokesperson told Digital Privacy News: “We disagree with the CNIL’s decision.
“Protecting the privacy of our customers has always been a top priority for Amazon.
“We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate,” the representative said.
But privacy experts told Digital Privacy News that the fines represented a move in the right direction — but that they might not be enough to ensure widespread compliance with online privacy laws.
“It is very good that it is made clear that tracking users without any form of permission is wrong,” said Finn Myrstad, director of digital policy at the Norwegian Consumer Council.
“However, the problem is far from solved, as ‘consent’ from users is often derived from manipulative design and user controls, combined with user agreements that are impossible to understand,” Myrstad told Digital Privacy News.
“Protecting the privacy of our customers has always been a top priority for Amazon.”Amazon.com Inc.
“This makes it hard, if not impossible, to say ‘no’ to tracking.”
Following User Activity
Rebecca Rumbul, a U.K. digital-rights advocate, told Digital Privacy News that the CNIL fines represented “an early victory for those of us who believe that tracking cookies are violating our privacy rights” — and that “further robust regulation and litigation will be focused in this area in the future.”
Rumbul is part of the Privacy Collective, a group suing tech companies Oracle and Salesforce over their use of tracking cookies. She said the tide was turning on companies that failed to respect user privacy.
“The forthcoming EU Digital Services Act and Digital Markets Act, and the newly created Digital Markets Unit in the U.K., all point to an increased level of scrutiny on big tech — and an increasing indignance that our personal information is being misused,” she said.
“Further robust regulation and litigation will be focused in this area in the future.”Rebecca Rumbul, the Privacy Collective, U.K.
The EU’s Digital Services Act and Digital Markets Act are new rules governing online platforms, presented to the European Parliament on Dec. 15. The U.K.’s Digital Markets Unit is an antitrust body that would oversee how such companies as Google and Amazon operated in the U.K. beginning early next year.
Rumbul noted, however, that regulation was “very slow-moving,” and that individuals and advocacy groups must “pursue redress through civil litigation” where privacy rights had been violated.
Alexander Hanff, CEO of the Swedish privacy consultancy, Think Privacy, said that violations of EU cookie laws were widespread.
“Complete absence of enforcement has led to a complete lack of motivation for companies to obey the law,” he said.
Asked whether he thought the fines indicated that privacy-law enforcement was being taken more seriously, Hanff said that CNIL had been spurred into action following a binding 2019 court case, “rather than any desire from the regulator to enforce the law, which has existed since 2002.”
“Complete absence of enforcement has led to a complete lack of motivation for companies to obey the law.”Alexander Hanff, Think Privacy consultancy, Sweden.
The Court of Justice of the European Union (CJEU) ruled on the “Planet49” case on Oct. 1, 2019, establishing a clear legal precedent that website operators must obtain a “freely given, specific, informed and unambiguous” indication of each user’s consent before placing tracking cookies on their devices.
“The CJEU judgment is binding on all member states,” Hanff said, “so I would expect to see a step-up in the enforcement of these rules.”
Robert Bateman is a writer in Brighton, U.K.
- InfoCuria Case-law: List of results
- Commission Nationale de l’Informatique et des Libertés: Cookies: financial penalty of 35 million euros imposed on the company AMAZON EUROPE CORE
- Commission Nationale de l’Informatique et des Libertés: Cookies: financial penalties of 60 million euros against the company GOOGLE LLC and of 40 million euros against the company GOOGLE IRELAND LIMITED