Cookies: 35 million euro penalty against AMAZON EUROPE CORE
On December 7, 2020, the restricted formation of the CNIL sanctioned the company AMAZON EUROPE CORE with a fine of 35 million euros for having placed advertising cookies on users’ computers from the amazon.fr site without prior consent and without satisfactory information.
Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, concerning the amazon.fr website. These checks revealed that when a user visited this site, cookies were automatically deposited on his computer, without any action on his part. Several of these cookies had an advertising objective.
Breaches of the Data Protection Act
The restricted formation, the CNIL body in charge of pronouncing sanctions, noted two violations of article 82 of the Data Protection Act:
A deposit of cookies without collecting the consent of the user
The limited training noted that when a user went to one of the pages of the amazon.fr site, a large number of advertising cookies were instantly deposited on his computer, i.e. before the latter performed any action. However, the restricted training recalled that this type of cookies, not essential to the service, could only be deposited after the Internet user had expressed his consent. It considered that the fact of depositing cookies concomitantly with the arrival on the site was a practice which, by nature, was incompatible with prior consent.
A failure to inform users of the site amazon.fr
It considered that the information banner displayed by the company, namely “By using this site, you accept our use of cookies to offer and improve our services. Learn more”, contained only a general and approximate description of the purposes of all cookies deposited. In particular, it considered that when reading this banner, the user was not able to understand that the cookies placed on his computer had the main purpose of displaying personalized advertising. She also noted that the banner did not indicate to the user that he has the right to refuse these cookies and the means available to him for this purpose.
Second, the restricted training noted that the company’s failure to meet its obligations was even more apparent in the case of users who visited the amazon.fr site after clicking on an ad published on another website. It emphasized that in this case, the same cookies were deposited without any information delivered to the Internet users.
Cookie Consent Manager | Take a 2 week free trial
Take a 2 week free trial for our paid plans or create a free account …
The sanction pronounced by the restricted formation
The restricted formation condemns the company AMAZON EUROPE CORE to a fine of 35 million euros, which has been made public. The amount withheld, as well as the public nature of the fine, are justified by the seriousness of the breaches observed.
Account was taken of the fact that until the overhaul of the amazon.fr website in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the information under conditions that complied with Article 82 of the law. It noted that, whatever the path taken by the Internet user going to the site, it was either insufficiently informed or never informed of the deposit of cookies on his computer. The restricted training considered that in the case of users accessing the site amazon.fr after having clicked on an ad, the instant deposit of cookies, combined with the absence of any information, was particularly prejudicial to the rights of Internet users.
In addition, even though the company’s main activity resides mainly in the sale of consumer goods, the personalization of ads, made possible in particular thanks to cookies, considerably increases the visibility of its products elsewhere on the web. Finally, given the central place occupied by the amazon.fr site in terms of online commerce, millions of people living in France visit the site daily and see cookies being placed on their computers.
The restricted training took note of the recent changes made to the site amazon.fr and in particular the fact that no more cookies are now deposited before the user has given his consent. It nevertheless considered that the new information banner deployed still did not allow Internet users residing in France to understand that cookies are mainly used to display personalized advertising to them and that they were still not clearly informed of their ability to refuse these cookies.
Therefore, in addition to the administrative fine, the restricted formation also adopted an injunction under penalty so that the company proceeded to inform people in accordance with Article 82 of the French Data Protection Act within 3 months from the notification of the decision. Otherwise, the company will be liable to a penalty payment of 100,000 euros per day of delay.
A competence of the CNIL
In its deliberation, the restricted session recalled that the CNIL is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. It thus stressed that the cooperation mechanism provided for by the RGPD (“one-stop shop” mechanism) was not intended to apply in this procedure since operations related to the use of cookies fall under the “ePrivacy” directive, transposed in Article 82 of the French Data Protection Act.
It considered that the CNIL is also territorially competent in application of article 3 of the Data Protection Act because the use of cookies is carried out within the “framework of the activities” of the company AMAZON FRANCE which constitutes the “establishment” on French territory of the company AMAZON EUROPE CORE and ensures the promotion of their products and services.
Are your an agency, webdesigner or another reseller?
Earn 30% commission, take a look at our reseller model or contact us for numbers larger than 500 clients
The articulation of the sanction with the work of the CNIL on cookies
As part of its action plan on advertising targeting and to take into account the entry into force of the RGPD, the CNIL published on October 1, 2020 its amending guidelines and a recommendation on the use of cookies and other tracers. The CNIL asked the actors to comply with the rules thus clarified, considering that this adaptation period should not exceed six months.
On this occasion, it had nevertheless specified that it would continue to fully monitor compliance with the other obligations that have not been amended and, if necessary, to adopt corrective measures to protect the privacy of Internet users.
The obligations whose non-compliance by AMAZON EUROPE CORE is now sanctioned by the CNIL were pre-existing in the RGPD and are therefore not among those that have been clarified by the new guidelines and the October 1 recommendation.
Note: the company Amazon Europe Core is a company under Luxembourg law, part of the Amazon group and is responsible for the European “Amazon” websites, including the amazon.fr website.