10 December 2020
On 7 December 2020, the CNIL’s restricted committee, which is responsible for imposing sanctions, fined the companies GOOGLE LLC and GOOGLE IRELAND LIMITED a total of 100 million euros for having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information.
On 16 March 2020, the CNIL conducted an online investigation on the website google.fr and found that when a user visited this website, cookies were automatically placed on his or her computer, without any action required on his or her part. Several of these cookies were used for advertising purposes.
Breaches of the French Data Protection Act
The CNIL’s restricted committee, which is responsible for imposing sanctions, noticed three breaches of Article 82 of the French Data Protection Act:
Deposit of cookies without obtaining the prior consent of the user
When a user visited the website google.fr, several cookies used for advertising purposes were automatically placed on his or her computer, without any action required on his or her part.
Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service.
Lack of information provided to the users of the search engine google.fr
When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”, in front of which were two buttons: “Remind me later” and “Access now”.
This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”.
Therefore, the restricted committee considered that the information provided by the companies did not enable the users living in France either to be previously and clearly informed regarding the deposit of cookies on their computer or, therefore, to be informed of the purposes of these cookies and the available means enabling to refuse them.
Partial failure of the « opposition » mechanism
When a user deactivated the ad personalization on the Google search by using the available mechanism from the button “Access now”, one of the advertising cookies was still stored on his or her computer and kept reading information aimed at the server to which it is attached.
Therefore, the restricted committee considered that the “opposition” mechanism set up by the companies was partially defective, breaching Article 82 of the French Data Protection Act.
The sanction imposed by the restricted committee
The restricted committee imposed a financial penalty of 60 million euros on GOOGLE LLC and another one of 40 million euros on GOOGLE IRELAND LIMITED and decided to make them public.
The restricted committee justified these amounts having regard to the seriousness of the breach of Article 82 of the French Data Protection Act, that has been observed in relation with three aspects.
It also highlighted the scope of the search engine Google Search in France and the fact that the practices of the companies affected almost fifty million users.
Finally, it noted the significant profits of the companies deriving from the advertising income indirectly generated from data collected by the advertising cookies.
The restricted committee duly noted that the companies have stopped automatically placing advertising cookies when a user arrives on the page google.fr, since an update that occurred in September 2020.
However, it noticed that the new information banner set up by the companies when a user arrives on the page google.fr still does not allow the users living in France to understand the purposes for which the cookies are used and does not let them know that they can refuse these cookies.
As a consequence, in addition to the financial penalties, the restricted committee also ordered the companies to adequately inform individuals, in accordance with Article 82 of the French Data Protection Act, within three months after the notification of the decision. Otherwise, the companies must pay a penalty payment of 100 000 euros for each day of delay.
The competence of the CNIL
In its decision, the restricted committee recalled that the CNIL is materially competent to control and sanction cookies placed by the companies on the computers of users living in France. Thus, it emphasized that the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply in this procedure, since the operations related to the use of cookies fall under the “ePrivacy” directive, transposed in Article 82 of the French Data Protection Act.
The restricted committee considered that it is also territorially competent, pursuant to Article 3 of the French Data Protection Act, because the use of cookies is carried out within the “framework of the activities” of the company GOOGLE FRANCE, which is the “establishment” of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on the French territory and which promotes their products and services.
It also considered that the companies GOOGLE LLC and GOOGLE IRELAND LIMITED are jointly responsible since they both determine the purposes and means related to the use of cookies.
The link between the sanction and the work of the CNIL on cookies
As part of its action plan on targeted advertisement and in order to take into account the entry into force of the GDPR, the CNIL released its amending guidelines and a recommendation regarding the use of cookies and other tracking devices on 1st October 2020. The CNIL asked the players to comply with the rules, thus clarified, considering that the period of adaptation should not exceed six months.
On this occasion, the CNIL however added that it will keep fully controlling compliance with the other obligations that have not been modified and, if necessary, adopting corrective measures to protect the privacy of internet users.
The CNIL punishes today the breach, by the companies, of obligations that existed before the GDPR and were therefore not concerned by the new guidelines and the recommendation of 1st October 2020.
NB: The company GOOGLE LLC, established in California, develops the search engine Google Search. The company GOOGLE IRELAND LIMITED, with its head office located in Ireland, presents itself as the European head office of the Google group. The company GOOGLE FRANCE is the establishment of GOOGLE LLC in France.
SOURCE:French data privacy watchdog CNIL.
