Google has been fined a total of €100m by the French data privacy watchdog, CNIL, for breaching Article 82 of the French Data Protection Act. The fine – made up of a €60m fine for Google LLC and a €40m fine for Google Ireland – has been levied because CNIL found that when a user visited the google.fr website, cookies, including advertising tracking cookies, were dropped on the user’s PC, without any action on their part and without the user giving their consent. Amazon has also been fined €35m by CNIL for the same offence.
In making the fines public, CNIL acknowledged that Google has now stopped automatically dropping ad cookies when a user arrives at google.fr, since an update that occurred in September 2020.
However, it noticed that the new information banner set up by Google when a user arrives at google.fr still does not allow users living in France to understand the purposes for which the cookies are used and does not let them know that they can refuse these cookies.
As a result, in addition to the financial penalties, it has ordered Google to change the wording of the popups within three months, or pay a further fine of €100,000 per day unless the changes are made. Amazon has been given the exact same ultimatum.
In a statement published by Reuters, Google said: "We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products.
"Today's decision under French ePrivacy laws overlooks these efforts and doesn't account for the fact that French rules and regulatory guidance are uncertain and constantly evolving."