CNIL fines Google $120M & Amazon $42M for Cookie Consent Violations

French regulator CNIL fines Google $120 Million & Amazon $42 Million for Cookie Consent Violations

CNIL is France’s data protection authority responsible for individual’s rights & applications of GDPR. They have been very active in ensuring that websites comply with the cookie consent requirements. CNIL’s combined fine of $162 Million is the largest for cookie consent violation and will definitely lead to website operator’s to change their cookie practices.

What’s Cookie Consent: 

Cookie consent is a requirement of ePrivacy directive of 2009, popularly known as cookie law which makes consent from users mandatory before a website drops cookies on the browser. GDPR just made the definition of consent strict and a compliant cookie consent banner should have the following:

1. Notice: Clear & Easy to read text that informs the user to the use of cookies. It also informs the user that they can accept, deny cookies and give consent to each purpose separately.
2. Accept & Deny Buttons: Both the buttons should be there and both buttons should have the same visibility. Website owners should not use any dark patterns to encourage click on Accept Button.
3. Cookie Settings: This should ideally link to a cookie preference center where users can give consent for each purpose separetly. This should also have a list of cookies for each purpose
4. Withdrawal of Cookies: For the user withdrawal of consent for cookies should be as easy as giving consent. This can be accomplished by adding a cookie settings button on the footer.
5. Auto-Blocking Cookies & Tracking Technologies: This is the most crucial step, ensure no cookies are dropped before user gives consent. You can use privado’s cookie consent solution to auto-block cookies.
   

Why was Amazon fined?

1. Failed to auto-block cookies: On amazon.fr, cookies were being dropped before user gave cookie consent. 
2. Notice in the banner was not unclear & incomplete: Banner did not mention that user’s could refuse cookies. Also, purposes of the cookies was unclear in the banner for example cookies were mainly used for personalized ads but user could not understand that.

‍

Why was Google fined?

1. Failed to auto-block cookies: When users visited google.fr, google automatically loaded advertisement cookies before user could give cookie consent
2. Notice in the banner was incomplete: Banner just gave a privacy reminder with options to Access Now and Remind Later and failed to inform cookies that were loaded on browser and use of them
3. Denying Cookies did not worked: Even when users deactivated personalized ads from the Access Now button, one advertising cookie will still be loaded and will keep sending information to the server.
   

In 2020, European DPA’s have been very active to enforce cookie consent on websites. You can comply with Europe’s cookie law along with other countries like CCPA with our free cookie consent solution. Sign up today or scan your website to find cookie compliance gaps.

Also, Watch the Top 10 Biggest GDPR Fines in 2020