Fines in the amount 100 million EUR and 35 million EUR applied by French Data Protection Authority (CNIL) to Google and Amazon for the unlawful use of cookies

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fines in the amount 100 million EUR and 35 million EUR applied by French Data Protection Authority (CNIL) to Google and Amazon for the  unlawful use of cookies. The fines resulted from two separate investigations carried out by CNIL in relation to the use of cookies on the French websites of Google and Amazon.

CNIL fined Google LLC for 60 million EUR, and Google Ireland Ltd (Google’s headquarters) for 40 million EUR. Combined, these fines are the largest ever sanction handed out by the CNIL. Both Google LLC and Google Ireland Ltd were deemed jointly responsible for the use of cookies as both were considered to exercise decision-making power in relation to personal data processing concerning users located in France.

CNIL also fined Amazon Europe Core, a company registered in Luxembourg and belonging to the Amazon group, the largest online retailer, with 35 million EUR, for the infringement of local legislation on “cookies”.

The French Data Protection Authority specified that the French sites of Google and Amazon did not require the consent of visitors before these cookies were saved on their devices and did not provide internet users with clear information on how the two companies intend to use the results of websites navigation and how the visitors of French sites may refuse the use of cookies.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.