10 December 2020
On 7 December 2020, the CNIL’s restricted committee, which is responsible for imposing sanctions, fined the company AMAZON EUROPE CORE 35 million euros for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information.
From 12 December 2019 to 19 May 2020, the CNIL conducted several investigations, including online investigations, regarding the website amazon.fr. These investigations allowed to observe that when a user visited the website, cookies were automatically placed on his or her computer, without any action required on his or her part. Several of these cookies were used for advertising purposes.
Breaches of the French Data Protection Act
The CNIL’s restricted committee, which is responsible for imposing sanctions, noticed two breaches of Article 82 of the French Data Protection Act:
Deposit of cookies without obtaining the prior consent of the user
The restricted committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part. Yet, the restricted committee recalled that this type of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.
Lack of information provided to the users of the website amazon.fr
First, the restricted committee noted that, in the case of a user visiting the website amazon.fr, the information provided was neither clear, nor complete.
It considered that the information banner displayed by the company, which was “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”, only contained a general and approximate information regarding the purposes of all the cookies placed. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that it could refuse these cookies and how to do it.
Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that.
The sanction imposed by the restricted committee
The restricted committee imposed a fine of 35 million euros to the company AMAZON EUROPE CORE and decided to makes it public. The amount of the fine, and the decision to make it public, are justified by the seriousness of the breaches observed.
It was taken into account that, until the redesign of the website amazon.fr in September 2020, the company was placing cookies on the computers of users living in France, without providing them with information, in accordance with Article 82 of the Act. It noticed that, no matter what path the users used to visit the website, they were either insufficiently informed or never informed of the fact that cookies were placed on their computer. In the case of users visiting the website amazon.fr after they had clicked on an advertisement, the restricted committee considered that the instant deposit of cookies, added to the absence of any information, was violating the internet users’ rights.
Moreover, even if the main activity of the company is the sale of consumer goods, the personalized ads, which are made possible by the use of cookies, enable to significantly increase the visibility of its products in other websites. Finally, given the important place of the website amazon.fr in e-commerce, millions of people living in France who daily visit the website are subject to the deposit of cookies on their computers.
The restricted committee duly noted the recent developments made on the site amazon.fr and in particular the fact that now, no cookie is placed before the consent of the user. However, it considered that the new information banner set up still does not allow the users living in France to understand that the cookies are mainly used to propose personalized ads and that they were still not informed that they could refuse these cookies.
As a consequence, in addition to the financial penalty, the restricted committee also ordered the company to adequately inform individuals, in accordance with Article 82 of the French Data Protection Act, within three months after the notification of the decision. Otherwise, the company must pay a penalty payment of 100 000 euros for each day of delay.
The competence of the CNIL
In its decision, the restricted committee recalled that the CNIL is materially competent to control and sanction cookies placed by the company on the computers of users living in France. Thus, it emphasized that the cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) was not intended to apply in this procedure since the operations related to the use of cookies fall under the “ePrivacy” directive, transposed in Article 82 of the French Data Protection Act.
The restricted committee considered that it is also territorially competent, pursuant to Article 3 of the French Data Protection Act, because the use of cookies is carried out within the “framework of the activities” of the company AMAZON FRANCE, which is the “establishment” of the company AMAZON EUROPE CORE on the French territory and which promotes its products and services.
The link between the sanction and the work of the CNIL on cookies
As part of its action plan on targeted advertisement and in order to take into account the entry into force of the GDPR, the CNIL released its amending guidelines and a recommendation regarding the use of cookies and other tracking devices on 1st October 2020. The CNIL asked the players to comply with the rules, thus clarified, considering that the period of adaptation should not exceed six months.
On this occasion, the CNIL however added that it will keep fully controlling compliance with the other obligations that have not been modified and, if necessary, adopting corrective measures to protect the privacy of internet users.
The CNIL punishes today the breach, by the company AMAZON EUROPE CORE, of obligations that existed before the GDPR and were therefore not concerned by the new guidelines and the recommendation of 1st October 2020.
NB : The company Amazon Europe Core is a company incorporated under Luxembourgish law, that is part of the Amazon group and is responsible of the European websites “Amazon”, whose internet website is Amzon.fr.
SOURCE:French data privacy watchdog CNIL.