Google's fees for using non-consensual cookies.
The CNIL, France’s data privacy regulatory committee (the name roughly translates to “the National Commission on Informatics and Liberty”), has fined both Google and Amazon for utilizing tracking cookies without user consent. The fines amount to €100 million for Google (about $120 million) and €35 million for Amazon (about $42 million), TechCrunch reports.
Under a French law called the Data Protection Act, internet companies are forbidden from loading tracking cookies onto a user’s device unless that user has explicitly consented to them. The CNIL posted a notice of the new fines on its website this week (which, fair warning, is entirely in French).
“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” TechCrunch translates from the notice.
CNIL found three counts of consent violations on Google’s part and two such violations for Amazon. Unsurprisingly, neither company believes it’s actually done anything wrong.
Multimillion-dollar cookies — Internet companies’ tendency to track users without their consent has become an increasingly hot topic in the last few years. All kinds of internet companies are being pressured to make their privacy practices more transparent.
Laws around tracking cookies have been consistently harsh in the European Union for years now, but TechCrunch points out that a hearing last October clarified that clear consent must be obtained before websites store or access non-essential cookies.
So Google and Amazon really should have no problem complying at this point. Still, they chose to use tracking cookies — doubtless for profit — without fully informing their users of those cookies.
Google doesn’t even want cookies — We’ve nearly reached a breaking point with cookies. They’re useful for companies, yes, but they’re also outdated and pretty invasive.
In fact, they’re so outdated that just about every major web browser has either phased them out completely or is in the process of doing so. Pretty soon cookies will be no more than a nostalgia-tinged memory we'll be explaining to youngsters.
However, Google in particular has held out on blocking cookies completely because doing so would hurt its revenue models. The tech giant is working on replacement technology that can provide the same data, but it’ll probably be a while before we see that in use. Facebook, meanwhile, is facing the specter of iPhone users being easily able to opt out of its tracking services thanks to a change from Apple aimed at increasing its customers' privacy.
What the companies say — As you might imagine, neither Amazon nor Google is willing to admit wrongdoing here.
In response to a question from TechCrunch, Google said:
"We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving."
Amazon’s response was even more point-blank:
"We disagree with the CNIL’s decision. Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate."
We have little doubt Google and Amazon can afford the fines. But, hopefully, other countries will apply similar scrutiny, and possibly similar punishments, because it's likely going to take far more painful slaps on the wrist to get the tech giants to comply. Tracking is simply too lucrative. Until it's not worth the risk of doing so, companies can't really be expected to stop doing it.