The French data protection authority CNIL has been very active in recent weeks and has imposed various penalties for incorrect description of cookies and data processing on websites of large companies. Here is a brief overview.
Google – 100 million euros fine
At the beginning of December 2020, the largest penalty to date was imposed for “cookie violations” – here against Google. In total, the CNIL imposed a fine of 100 million euros – 60 million against Google LLC and 40 million against Google Ireland Ltd. In both cases, the issue is that visitors to the google.fr search engine were not sufficiently informed about advertising cookies by a banner created by Google.
What is special about this case is that according to the GDPR, the Irish data protection authority DPC would actually be responsible. In order to still be able to impose the penalty, the CNIL therefore relies on the ePrivacy directive and not on the GDPR.
Explanations of the CNIL on Google penalties (English).
Amazon – 35 million euros fine
Along with the above-mentioned fine against Google, the fine against Amazon for violating data protection was also announced in France: 35 million euros. In this case, too, the issue is that advertising cookies were set without the consent of the visitors (here on amazon.fr). Here, too, ePrivacy was used and not the GDPR as a basis.
Carrefour – 3 million euros fine
A good week before Google and Amazon, the CNIL imposed a fine of around 3 million euros on Carrefour (one of the largest online shops in France) at the end of November. Fine goes to 2.25 million to Carrefour and further 800,000 EUR to Carrefour Banque. In both cases, it is also about incorrectly set cookies and missing consent.
More information at the CNIL (French).