Cookies: 35 million euro penalty against AMAZON EUROPE CORE
On December 7, 2020, the restricted formation of the CNIL sanctioned the company AMAZON EUROPE CORE with a fine of 35 million euros for having placed advertising cookies on users’ computers from the amazon.fr site without prior consent and without satisfactory information.
Between December 12, 2019 and May 19, 2020, the CNIL carried out several checks, particularly online, concerning the amazon.fr website. These checks revealed that when a user visited this site, cookies were automatically deposited on his computer, without any action on his part. Several of these cookies had an advertising objective.
Breaches of the Data Protection Act
The restricted formation, the CNIL body in charge of pronouncing sanctions, noted two violations of article 82 of the Data Protection Act:
A deposit of cookies without collecting the consent of the user
The limited training noted that when a user went to one of the pages of the amazon.fr site, a large number of advertising cookies were instantly deposited on his computer, i.e. before the latter performed any action. However, the restricted training recalled that this type of cookies, not essential to the service, could only be deposited after the Internet user had expressed his consent. It considered that the fact of depositing cookies concomitantly with the arrival on the site was a practice which, by nature, was incompatible with prior consent.
A failure to inform users of the site amazon.fr
Second, the restricted training noted that the company’s failure to meet its obligations was even more apparent in the case of users who visited the amazon.fr site after clicking on an ad published on another website. It emphasized that in this case, the same cookies were deposited without any information delivered to the Internet users.
The sanction pronounced by the restricted formation
The restricted formation condemns the company AMAZON EUROPE CORE to a fine of 35 million euros, which has been made public. The amount withheld, as well as the public nature of the fine, are justified by the seriousness of the breaches observed.
Account was taken of the fact that until the overhaul of the amazon.fr website in September 2020, the company placed cookies on the computers of Internet users residing in France without providing them with the information under conditions that complied with Article 82 of the law. It noted that, whatever the path taken by the Internet user going to the site, it was either insufficiently informed or never informed of the deposit of cookies on his computer. The restricted training considered that in the case of users accessing the site amazon.fr after having clicked on an ad, the instant deposit of cookies, combined with the absence of any information, was particularly prejudicial to the rights of Internet users.
In addition, even though the company’s main activity resides mainly in the sale of consumer goods, the personalization of ads, made possible in particular thanks to cookies, considerably increases the visibility of its products elsewhere on the web. Finally, given the central place occupied by the amazon.fr site in terms of online commerce, millions of people living in France visit the site daily and see cookies being placed on their computers.
The restricted training took note of the recent changes made to the site amazon.fr and in particular the fact that no more cookies are now deposited before the user has given his consent. It nevertheless considered that the new information banner deployed still did not allow Internet users residing in France to understand that cookies are mainly used to display personalized advertising to them and that they were still not clearly informed of their ability to refuse these cookies.
Therefore, in addition to the administrative fine, the restricted formation also adopted an injunction under penalty so that the company proceeded to inform people in accordance with Article 82 of the French Data Protection Act within 3 months from the notification of the decision. Otherwise, the company will be liable to a penalty payment of 100,000 euros per day of delay.
A competence of the CNIL
The articulation of the sanction with the work of the CNIL on cookies
On this occasion, it had nevertheless specified that it would continue to fully monitor compliance with the other obligations that have not been amended and, if necessary, to adopt corrective measures to protect the privacy of Internet users.
The obligations whose non-compliance by AMAZON EUROPE CORE is now sanctioned by the CNIL were pre-existing in the RGPD and are therefore not among those that have been clarified by the new guidelines and the October 1 recommendation.
Note: the company Amazon Europe Core is a company under Luxembourg law, part of the Amazon group and is responsible for the European “Amazon” websites, including the amazon.fr website.