France: Penalties against Google, Amazon & Carrefour for wrong cookies

The French data protection authority CNIL has been very active in recent weeks and has imposed various penalties for incorrect description of cookies and data processing on websites of large companies. Here is a brief overview.

the cnil logo is displayed in blue and red

Google – 100 million euros fine

At the beginning of December 2020, the largest penalty to date was imposed for “cookie violations” – here against Google. In total, the CNIL imposed a fine of 100 million euros – 60 million against Google LLC and 40 million against Google Ireland Ltd. In both cases, the issue is that visitors to the search engine were not sufficiently informed about advertising cookies by a banner created by Google.

What is special about this case is that according to the GDPR, the Irish data protection authority DPC would actually be responsible. In order to still be able to impose the penalty, the CNIL therefore relies on the ePrivacy directive and not on the GDPR.

Explanations of the CNIL on Google penalties (English).

Amazon – 35 million euros fine

Along with the above-mentioned fine against Google, the fine against Amazon for violating data protection was also announced in France: 35 million euros. In this case, too, the issue is that advertising cookies were set without the consent of the visitors (here on Here, too, ePrivacy was used and not the GDPR as a basis.

Explanations of the CNIL France on Amazon penalties (English).

Carrefour – 3 million euros fine

A good week before Google and Amazon, the CNIL imposed a fine of around 3 million euros on Carrefour (one of the largest online shops in France) at the end of November. Fine goes to 2.25 million to Carrefour and further 800,000 EUR to Carrefour Banque. In both cases, it is also about incorrectly set cookies and missing consent.

More information at the CNIL (French).