Breach of cookie rules leads to €100 million and €35 million fines

CNIL in France is very actively handing out fines in impressive amounts. It has imposed two fines on Google for violating the cookies rules which are in sum €100 million and it fined Amazon at €35 million.

Both cases have the same background

  • Google.fr and Amazon.fr placed advertising cookies at users computers without prior consent, and
  • they both did not inform the users and therefore the transparency rules of Art. 13 GDPR are violated.

Link to the press release on Google is here in English language.

Link to the press release on Amazon is here in English language.

Practical tipp:

  • Do not wait until the authority knocks on your door, get it right before.
  • As data privacy and especially the area of cookies, consent on cookies and transparency, is a quickly developing landscape, check the lawfulness of your solution at least once a month or every two months.
  • In the light of Schrems II decision by European Court of Justice it is getting tricky if you use cookies of an origin outside European Union or European Economic Area.
    • In case the information collected by the cookie is send to a location in EU or EEA and not forwarded to a country outside EU and EEA, you should be fine without a safeguard for international data transfer.
    • In case the information collected by the cookie is send to location in EU or EEA and then forwarded to a country outside EU and EEA, then you will need a safeguard in the light of Schrems II judgement.
    • In case the information collected by the cookie is directly send to a location outside the EU or EEA, then you will need to do a decision if you a safeguard for international data transfer is needed or if the provider of that cookie is directly subject to the GDPR under Art. 3 section 2 GDPR and therefore it might that a safeguard for international data transfer is not needed, especially if the website is hosted outside EU or EEA.
  • If you provide a website from outside the EU or EEA and use cookies and one of the criteria of Art. 3 section 2 GDPR applies to you, then GDPR in total applies to you for the actions covered by Art. 3 section 2 GDPR.
    • You will need to implement GDPR to these actions.
    • Depending on the legal, technical and organizational solution you will need or not need to provide for a safeguard for international data transfer.

Contact me if you need help in this, see imprint at the bottom of this page for contact details.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.