French Publisher Fined for GDPR Violations for Installing Cookies Without User Consent
The French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a €50,000 financial penalty on the French publisher Le Figaro for violations of the EU General Data Protection Regulation (GDPR) over the installation of third-party advertising cookies without the consent of users of its website.
CNIL conducted an investigation between 2020 and 2021 which confirmed the use of cookies on its lefigaro.fr website. Under the GDPR, all visitors to a website must be informed before advertising cookies are downloaded and they must give their consent to having cookies installed.
The reason for this is cookies can collect personal data, and the amount of data they collect can be significant. EU citizens have the right to refuse to have cookies installed and have their personal data collected. If a website visitor refuses to provide their consent, that decision must be respected. According to CNIL, le Figaro “did not systematically guarantee the collection of consent.”
This is not the first time that CNIL has taken action over the use of cookies without consent. Fines were also imposed on the retailers Carrefour France and its financial arm Carrefour Banque over similar cookie violations. Carrefour France was fined €400,000 and Carrefour Banque fined €800,000 over the violations.
The largest cookie-related financial penalties were imposed on Google and Amazon. Google had a €100 million financial penalty imposed in November 2020 for similarly downloading advertising cookies on the computers of users of the Google.fr website without first obtaining consent, and Amazon was fined for the same cookie offences related to its Amazon.fr website. Amazon Europe was fined €35 million for the GDPR violations.
The most recent fines demonstrate that it is not only large tech firms that are at risk of GDPR violation penalties. The latest legal action shows that all website owners must comply with the requirements of the GDPR and must obtain consent from visitors prior to the use of third-party or other cookies. If consent is not given, cookies must not be downloaded.
