France’s privacy regulator announced it fined Amazon and Google more than $163 million for their practices regarding the use of internet cookies.
The Commission Nationale de l’Informatique et des Libertés, also known as CNIL, found that Google LLC, Google Ireland Limited and Amazon Europe Core violated French data privacy regulations by placing “advertising cookies on users’ computers … without obtaining prior consent and without providing adequate information,” according to the press releases.
The penalty on Google’s subsidiaries, totaling more than $120 million, is the largest fine issued by the privacy watchdog, according to the Wall Street Journal. Amazon was fined about $42.5 million.
Cookies are packages of internet data stored on computers after visiting websites so that sites can monitor web activity and page visits, according to NortonLifeLock. For example, cookies allow a website to keep track of items in a user’s online cart while browsing for other items.
Cookies can also be used to monitor activity in order to create individually tailored advertisements for users based on their online browsing histories.
The French Data Protection Act requires that cookies not directly related to a company’s services require users to express their consent before being stored on their computers.
The CNIL committee noted that when a user visited Amazon’s and Google’s French internet domains, “cookies used for advertising purposes [were] automatically placed on his or her computer, before any action required on his or her part.” Storing those cookies without an explicit user agreement, the CNIL said, is “incompatible” with the current regulations.
The CNIL added that both Google and Amazon failed to provide sufficient information regarding how user data was used for advertising purposes.
Amazon said it disagrees with the penalty and argued that Amazon users always have the ability to change their cookie preferences.
“We disagree with the CNIL’s decision,” an Amazon spokesperson told the Washington Examiner. “Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.”
Google likewise rebuffed the penalty, arguing that the decision “overlooks” its efforts toward data transparency.
“People who use Google expect us to respect their privacy, whether they have a Google account or not,” a Google spokesperson told the Washington Examiner. “We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.”
Amazon and Google have three months to comply with French regulations. If either company remains noncompliant after that time period, additional fines of up to $121,000 a day will be incurred.
