Le Figaro publisher fined €50,000 for GDPR violation 

The CNIL found that advertising cookies had been placed on the computers of visitors to the lefigaro.fr website without their consent. [Gil C / Shutterstock]

French publisher Le Figaro has been fined €50,000 by the country’s data protection authority after its website was discovered to be installing third-party advertising cookies without the users’ consent. 

The Commission Nationale de l’Informatique et des Libertés (CNIL) imposed the sanctions after checks between 2020 and 2021 revealed that cookies were being automatically placed on the computers of visitors to the lefigaro.fr website, without them being alerted or asked for permission.

The EU’s General Data Protection Regulation (GDPR) mandates that users’ permission is acquired by websites before advertising cookies are deposited, given the amount of personal data they collect. Websites are also required to respect users’ refusal if expressed. La Société du Figaro was found to have breached these rules as it “did not systematically guarantee the collection of consent”. 

The fine is the most recent in a string of sanctions handed out by the CNIL for data protection breaches, some of which have been levied against global tech giants and have climbed high into the millions. 

Florence Chafiol, a partner at the Paris law firm August Debouzy who is also currently outside counsel for FleishmanHillard, a PR firm working for Monsanto, a chemical company also recently fined by the CNIL, told EURACTIV that in her view the decision had been taken by the CNIL “as an example to other websites and to let the industry know that such penalties don’t just happen to big companies like Google and Amazon.”

French watchdog fines Google, Amazon for breaching cookies rules

France’s data privacy watchdog has handed out its biggest ever fine of 100 million euros ($121 million) to Alphabet’s Google for breaching the country’s rules on online advertising trackers (cookies).

The latest of many

Today’s fine is the latest in a line of rulings against companies for breaches of data protection laws adjudicated upon by the CNIL. 

Yesterday (28 July), Monsanto was dealt a €400,000 penalty for GDPR breaches in its assembly of a file containing the personal data of over 200 individuals including politicians, journalists, activists and scientists seen as being potentially influential in the debate over renewing the authorisation of glyphosate herbicide in Europe. 

While a number of recent data protection cases dealt with by the CNIL have been high-profile, Chafiol told EURACTIV that there has not necessarily been an overall increase in action by the authority.

Rather, she said, the contents of these cases and the amounts that companies are being fined are being made public in a way that they weren’t in previous years, meaning that the CNIL’s decisions have both a financial and reputational impact.

Cookie offences 

Cookie-related infringements have been the focus of a number of recent CNIL rulings.

In November 2020, retailer Carrefour France and Carrefour Banque were hit with fines of €2.25 million and €800,000 respectively after being found to have violated a range of data protection regulations, including GDPR’s cookie policy.

A month later, in December 2020, the CNIL also issued a set of major fines against tech giants Google and Amazon for failures to comply with cookie obligations. 

Google received a penalty totalling €100 million for an offence similar to la Société du Figaro’s, after the company’s French websites were found to have been placing cookies on users’ computers without their prior consent. 

Google went on to challenge the decision in court, both arguing against the terms of the sanctions and contesting the CNIL’s jurisdiction.

Google challenges French data watchdog's €100 million fine in court

France’s administrative court known as the Council of State considered on Thursday an application for interim measures filed by Google LLC and Google Ireland after the French Data Protection Authority known as the CNIL fined the digital giant €100 million last December for its cookie collection policy. EURACTIV France was at the hearing.

On the same day in December, sanctions of €35 million were levied against Amazon Europe for the same offence. The CNIL ruled that the company had breached the French Data Protection Act in two places, again by depositing advertising cookies on the computers of individuals visiting amazon.fr without obtaining prior consent.

[Edited by Luca Bertuzzi]

Subscribe to our newsletters