After Superman and Superwoman, can we talk about SuperCNIL?
On the 7th December 2020, the CNIL (French National Commission for Information Technology and Civil Liberties) fined Google and Amazon. A fine of 100 million euros for Google and 35 million euros for Amazon. The two companies are key players on the Internet and are part of the famous GAFAM (Google, Apple, Facebook, Amazon and Microsoft), a group that dominates the digital market.
But concretely, what are they accused of?
Three violations of the Data Protection Regulation for Google :
- The lack of user consent for the deposit of cookies on arrival at the site www.google.fr. This is usually done through cookie banners.
- The lack of information to users about the cookies deposited on their computers. In fact, in addition to consent, people should be informed of the identification of cookies and the functions of each cookie placed on their computers. Although Google included an information banner, no further detailed information was provided.
- Non-compliance with the opt-out mechanism by the user. When the user deactivated the personalisation of ads on Google, cookies for advertising purposes were still stored on the user’s computer.
Two violations of the Data Protection Regulation for Amazon:
- User consent was sought AFTER arrival on the site, after the advertising cookies had ALREADY been deposited on the computer (whereas the consent principle implies that agreement is sought BEFORE the cookies are deposited).
- Too vague information to users: this time, it is the voluntary lack of clarity that has been pointed out by the CNIL. In fact, according to the CNIL, when reading the information, users could not understand that the main purpose of the cookies was advertising. Finally, the information banner also failed to indicate the possibility of rejecting the deposit of cookies or how to do so.
What does this mean?
The CNIL has imposed both a financial and a symbolic penalty.
Financial, because the amount of the fine is far from derisory, and because there is an injunction under penalty (with a penalty of 100,000 euros per day of delay).
Symbolic, because CNIL is the first European data protection agency to impose such a heavy fine on a GAFAM member. In other words, this may be the end of an era (that of the factual impunity of the players that dominate one of the most powerful markets in the world) and the beginning of a new one. Finally, and most importantly, the CNIL is setting an example by imposing its rigour, its sense of justice and its real capacity to act.
Moral: The time and effort invested now in having clear and comprehensive cookie banners will bring you peace of mind and transparency in the long run – and no fear of the CNIL!