Why has the CNIL condemned Amazon and Google?
On December 7, 2020, the French Data Protection Authority CNIL sanctioned Amazon and companies Google LLC and Google Ireland Limited for violation of Article 82 of the law No78-17 of January 6, 1978 amended so-called “Informatique et Libertés” Act.
This condemnation follows several online controls carried out by the CNIL, during which the Authority found that advertising cookies are deposited on the computers of Internet users when they consult google.fr and amazon.fr websites without prior consent and without satisfactory information.
Cookies are deposited as soon as web users arrive on the websites, which is incompatible with the obligation to obtain their prior consent. As for the information provided, it is unclear and incomplete:
- The “opt-out” mechanism, which allows the web user to disable the personalization of ads on Google’s search engine, is partially defective, as one of the advertising cookies remains stored on the web user’s computer and continues to read information to the server to which it was attached.
The CNIL therefore considered that these companies did not allow web users to be previously and clearly informed about the fact that cookies were deposited on their computer or about the objectives of these cookies and noted the lack of available means to refuse them.
Amazon was fined 35 million Euros and Google’s subsidiaries were fined 60 and 40 million Euros; these amounts being justified by the seriousness of the breaches observed. The CNIL ordered them to provide information to Internet users within 3 months from the notification of its decisions, under penalty of 100,000 euros per day of delay.
Reminder: how to validly collect the consent of web users?
The CNIL reminds that the consent must be free, specific, enlightened and univocal and manifested by a positive action of the web user (check box, button to activate), who shall have been previously informed of the consequences of his/her choice and be given the means to accept, refuse and withdraw his/her consent.
The consent must be given before the deposit and/or reading of cookies.
The new features introduced by the CNIL in its guidelines and in its recommendation on cookies
Website publishers and online advertising players have a period of 6 months to comply with it, i.e., before April 1, 2021.
- Collection of web users’ consent
Henceforth, the simple fact of continuing to navigate on a website cannot be considered as a valid expression of the Internet user’s consent.
Web users must consent by a clear positive act: for example, clicking on the “I accept” button in the information banner.
The CNIL also recommends that the consent collection interface include not only an “accept all” button but also a “refuse all” button.
- Refusing to give consent
The CNIL considers that when a single click is required to accept cookies while several actions are necessary to set up a refusal, there is a risk that the Internet user, who generally wishes to access the site quickly, will be influenced. Web users must therefore be provided with simple and direct means to refuse to give their consent.
The CNIL recommends that websites, which generally retain consent to cookies for a certain period of time, also retain the refusal of Internet users.
- Cookies exempt from consent
However, certain cookies are exempted from the collection of consent, such as those for “operations whose exclusive purpose is to enable or facilitate communication by electronic means or are strictly necessary for the provision of an online communication service at the express request of users”.
Cookies for audience measurement can thus benefit from an exemption from consent provided that they are strictly necessary for the provision of the service.
- Information of web users
Web users must be clearly informed of each purpose of the trackers before giving their consent as well as the consequences of accepting or refusing trackers. Web users must also be informed of the means of withdrawing their consent as well as the identity of all actors using tracers subject to consent.
The CNIL reminds that the information must be accessible, both from the first screen and then, that it must be made available to Internet users on a permanent basis, in an easily accessible place at any time on the website.
- Retention period of cookies
The retention times differ for each cookie:
- 25 months for technical cookies;
- 13 months for consent cookies;
- Duration to be assessed “on a case-by-case basis” for cookies requiring consent, 6 months being a duration deemed adequate.
Contact: Stéphanie Berland, Partner in charge of IP/IT/Data Department