The cookie jar is open

On 10 December 2020, the French Supervisory Authority for data protection (the “CNIL”) issued fines of €35m, €40m and €60m to three entities belonging to two global technology companies.

These fines follow the CNIL’s earlier online investigation of these companies websites, and subsequent on-premises visits.

These fines were issued because all these companies:

• failed to obtain consent prior to cookies and similar technologies being deployed on a user’s device and
• failed to provide sufficient information to users about such cookies and similar technologies
• In addition one entity subject to the enforcement continued to use one advertising cookie even after a user rejected their use.

 A lack of transparency

The lack of transparency noted by the CNIL should be of particular interest to organisations. This is because during the CNIL’s initial investigation, whilst the information provided by the companies as to the cookies deployed was only considered general and approximate, the companies did take steps to reflect the fact that the user had a choice as to which cookies were deployed and to set preferences accordingly. However, despite this, the CNIL still considered that not enough information was provided to the user.

Matters of establishment

It is also important to note the entities which were fined by the CNIL (e.g. not one company’s French entity but their parent company). This was the result of the CNIL applying establishment criteria. Such an approach may lead organisations with an establishment in the EU being brought in scope of such scrutiny, and potentially facing larger fines as a result.

ePrivacy is not a one stop shop

There was also clarification from the CNIL that the one-stop shop found under the GDPR does not apply in an e-privacy directive context. The CNIL took into account various matters in reaching this determination, including the fact that regulators under ePrivacy requirements may not be the same as those found under the GDPR.

 The price of non-compliance

These fines reflect the significant profits these companies make from advertising activities. They were calculated by applying Article 83(4) of the GDPR (i.e. subject to the greater of €10,000,000 or 2% of the total worldwide annual turnover of the company in the previous financial year). In addition, if the necessary remediations are not made within three months of the CNIL’s ruling, an additional €100,000 a day will be charged.