French data regulator CNIL has hit tech giants Google and Amazon with some heavy penalties for placing non-essential tracking cookies without user consent or notification. Google will pay €100 million (about $120 million) and Amazon will pay €35 million (about $42 million) for the infractions, which took place over the course of the past year.
Tight regulation of tracking cookies zaps tech giants
France’s Data Protection Act (DPA) was amended to fully adapt to the terms of the EU’s General Data Protection Regulation (GDPR) in mid-2019. Article 82 of the DPA requires clear prior collection of consent and user notification about the specifics of how nonessential tracking cookies will be used, something that CNIL found wanting in Amazon and Google’s use of them on its websites.
Amazon’s French site (Amazon.fr) was operating under a policy of “implied consent” with a banner that notified site visitors that continued use of the site was a tacit agreement to the use of tracking cookies. CNIL ruled that this was not in keeping with the DPA’s consent and transparency requirements as the notification did not make clear that the tracking cookies were going to be used for personal customization of display advertising.
Google’s issue was that their opt-out system for personalized advertising did not appear to be functioning properly. Users that selected the option to deactivate personalized advertising were given one particular ad tracking cookie that continued to store and process relevant information. CNIL also found that a Google site banner outlining its use of tracking cookies was inadequately specific about how they were being used.
In determining the fine amounts, the CNIL ruling cited the fact that the personalized ad system would communicate with and be visible on websites other than those owned by Amazon, and the fact that millions of French citizens make regular use of the online retailer’s services. In the Google ruling it similarly noted that some 50 million residents of the country make use of the search giant’s services.
Laws regarding notification and consent for use of tracking cookies for personalized advertising purposes have been in place and consistent since the GDPR went into effect in 2018, but an October 2019 ruling by the EU’s highest court reinforced that the policy of “implied consent” (continued use of a site following an initial passive banner or pop-up notification) is not considered adequate and can lead to large fines.
In statements to TechCrunch, Google and Amazon both disagreed with the CNIL ruling. Google attempted to shift responsibility to an “evolving” regulatory climate in France: “People who use Google expect us to respect their privacy, whether they have a Google account or not. We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.” And Amazon denied that it was out of compliance with the country’s law: “We disagree with the CNIL’s decision. Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.”
Both of the tech giants have made changes to their sites due to the investigation and ruling, however. Amazon has changed the wording of its notifications on several of its international sites and now includes an active link to its cookie preferences settings page, and the Amazon.fr site no longer automatically drops tracking cookies. Google had already removed the ad cookie in question in September and has since updated its banner notifications on its French sites, though CNIL has filed an injunction claiming that the new banners are also inadequate and that the company may be fined €100,000 per day if it does not correct the matter within three months.
France was empowered to directly issue its own enforcement actions in this case under the EU’s ePrivacy Directive. A more standard process under the GDPR would have been to refer the cases to the investigators in Ireland and Luxembourg (where the companies have their EU headquarters), a move that likely would have delayed the matter for a considerable amount of time. The amount required of Google by CNIL doubles its early 2019 fine of the company, which was also issued due to a lack of appropriate user consent for use of its personalized ad services.
The end of tracking cookies?
Though the issues that led to these fines are recent (dating back to December 2019), Google is among the big tech companies that have been talking about phasing out tracking cookies entirely as of late. The company has committed to ending the use of third-party cookies in its Chrome browser by the end of 2022, but has not made clear exactly what the alternative would be for personalized ad tracking.
This has led to an outcry from the digital marketing industry and has resulted in a probe by regulators in the UK into the idea, after a coalition of smaller tech companies and publishers brought a complaint. The UK regulator is expected to announce whether a case will move forward sometime in January.
The industry still does not have a clear picture as to what would replace tracking cookies to facilitate personalized ad delivery, but this has not stopped other companies (such as Apple) from already making aggressive moves to limit the ability to track users. It is also important to note that both Google and Apple continue to make use of their own first-party cookies and have not yet signaled any intent to dispose of those.