The French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a €50,000 financial penalty on the French publisher Le Figaro for violations of the EU General Data Protection Regulation (GDPR) over the installation of third-party advertising cookies without the consent of users of its website.
The reason for this is cookies can collect personal data, and the amount of data they collect can be significant. EU citizens have the right to refuse to have cookies installed and have their personal data collected. If a website visitor refuses to provide their consent, that decision must be respected. According to CNIL, le Figaro “did not systematically guarantee the collection of consent.”
The largest cookie-related financial penalties were imposed on Google and Amazon. Google had a €100 million financial penalty imposed in November 2020 for similarly downloading advertising cookies on the computers of users of the Google.fr website without first obtaining consent, and Amazon was fined for the same cookie offences related to its Amazon.fr website. Amazon Europe was fined €35 million for the GDPR violations.
The most recent fines demonstrate that it is not only large tech firms that are at risk of GDPR violation penalties. The latest legal action shows that all website owners must comply with the requirements of the GDPR and must obtain consent from visitors prior to the use of third-party or other cookies. If consent is not given, cookies must not be downloaded.