News
Cookies: the Council of State confirms the 2020 sanction imposed by the CNIL against Amazon
June 2022 by Marc Jacob
In its judgement of June 27 2022, the Council of State confirms the 35 million euro penalty imposed by the CNIL on Amazon in 2020. The company deposited cookies on users’ computers without prior consent or satisfactory information.
The CNIL decision of 7 December 2020
On 7 December 2020, the CNIL imposed a fine of 35 million euros on AMAZON EUROPE CORE, in particular for having placed advertising cookies on the computers of users of the Amazon.fr sales site without prior consent or satisfactory information.
In its decision, the CNIL found two violations of Article 82 of the French Data Protection Act (transposing the e-Privacy Directive).
First of all, the CNIL noted that when a user visited the "Amazon.fr" site, a large number of cookies with an advertising purpose were automatically deposited on his or her computer without any action on his or her part. As this type of cookie was not essential to the service, the CNIL considered that the company had not complied with the obligation to obtain the consent of Internet users before depositing the cookies.
Secondly, the CNIL considered that the banner displayed on the "Amazon.fr" site did not allow users residing in France to be clearly informed beforehand about the deposit of cookies, in particular about the purposes of these cookies and the means of refusing them.
In addition, the CNIL noted that when users visited the "Amazon.fr" site after clicking on an ad published on another website, the same cookies were deposited but without any banner being displayed.
The Council of State ruling of 27 June 2022
In line with its decision of 28 January 2022 rendered in the context of the sanction against GOOGLE, the Council of State confirmed the competence of the CNIL to impose sanctions on cookies outside the one-stop shop mechanism provided for by the RGPD. It recalled that the CNIL was competent to sanction breaches of Article 82 of the French Data Protection Act, even in cases where the data controller is not established in France, but has an establishment on French territory involved in activities related to the processing carried out, in this case the promotion and marketing of advertising tools by the company Amazon Online France.
In substance, the Council of State confirmed the two violations of Article 82 of the French Data Protection Act sanctioned by the CNIL: the deposit of cookies without prior consent and the failure to inform users.
Finally, the Council of State considers that the amount of the fine imposed by the CNIL is not disproportionate to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.
The decision of the Council of State
– Conseil d’État 451423, lecture du 27 juin 2022, décision n° 451423 [in French]
Texte reference
