Breach of GDPR Advertising Cookies Laws Leads to Fine of €35m for Amazon

Yesterday, the French Data Protection Authority CNIL, confirmed Amazon had been fined €35m for installing advertising tracking cookies on the devices of web users without having prior permission. This news comes in the wake of the CNIL revealing that Google will also be hit with a GDPR fine of €100m for the same misdemeanor. The official ruling can be read here.

In the official investigation, CNIL identified Amazon’s French websites did not obtain prior consent of visitors before installing advertising cookies – small pieces of data on computers and other Internet-enabled devices when browsing the internet for the purpose of identifying and tracking users.

Along with the outcomes of the CNIL GDPR investigation, it was also made public that visitors to the French Amazon portal who clicked on an advert could face privacy risks as the cookies are immediately put to work without any information about their activity given to the browsers. CNIL  “considered that the information banner displayed by the company, which was By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.’, only contained general and approximate information regarding the purpose of all the cookies downloaded. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that they could refuse these cookies and how to exercise that right.

CNIL went on to say that this type of advertising cookie “can only be placed after the user has expressed his or her consent”. By installing cookies without providing adequate information, GDPR regulations were being violated. It was also made public that Amazon had not made steps to add this information until a redesign went live in September 2020.

Amazon issued a statement saying the company does not agree with CNIL’s ruling, saying: “We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate”.

CNIL has given Amazon three months to make changes to become compliant with all GDPR rules. If it does not, it could be sanctioned with additional daily fines of €100,000 for every day until the company is fully compliant with the GDPR.

Author: Security News