French publisher Le Figaro has been fined €50,000 by the country’s data protection authority after its website was discovered to be installing third-party advertising cookies without the users’ consent.
The Commission Nationale de l’Informatique et des Libertés (CNIL) imposed the sanctions after checks between 2020 and 2021 revealed that cookies were being automatically placed on the computers of visitors to the lefigaro.fr website, without them being alerted or asked for permission.
The EU’s General Data Protection Regulation (GDPR) mandates that users’ permission is acquired by websites before advertising cookies are deposited, given the amount of personal data they collect. Websites are also required to respect users’ refusal if expressed. La Société du Figaro was found to have breached these rules as it “did not systematically guarantee the collection of consent”.
The fine is the most recent in a string of sanctions handed out by the CNIL for data protection breaches, some of which have been levied against global tech giants and have climbed high into the millions.
Florence Chafiol, a partner at the Paris law firm August Debouzy who is also currently outside counsel for FleishmanHillard, a PR firm working for Monsanto, a chemical company also recently fined by the CNIL, told EURACTIV that in her view the decision had been taken by the CNIL “as an example to other websites and to let the industry know that such penalties don’t just happen to big companies like Google and Amazon.”
The latest of many
Today’s fine is the latest in a line of rulings against companies for breaches of data protection laws adjudicated upon by the CNIL.
Yesterday (28 July), Monsanto was dealt a €400,000 penalty for GDPR breaches in its assembly of a file containing the personal data of over 200 individuals including politicians, journalists, activists and scientists seen as being potentially influential in the debate over renewing the authorisation of glyphosate herbicide in Europe.
While a number of recent data protection cases dealt with by the CNIL have been high-profile, Chafiol told EURACTIV that there has not necessarily been an overall increase in action by the authority.
Rather, she said, the contents of these cases and the amounts that companies are being fined are being made public in a way that they weren’t in previous years, meaning that the CNIL’s decisions have both a financial and reputational impact.
Cookie offences
Cookie-related infringements have been the focus of a number of recent CNIL rulings.
In November 2020, retailer Carrefour France and Carrefour Banque were hit with fines of €2.25 million and €800,000 respectively after being found to have violated a range of data protection regulations, including GDPR’s cookie policy.
A month later, in December 2020, the CNIL also issued a set of major fines against tech giants Google and Amazon for failures to comply with cookie obligations.
Google received a penalty totalling €100 million for an offence similar to la Société du Figaro’s, after the company’s French websites were found to have been placing cookies on users’ computers without their prior consent.
Google went on to challenge the decision in court, both arguing against the terms of the sanctions and contesting the CNIL’s jurisdiction.
On the same day in December, sanctions of €35 million were levied against Amazon Europe for the same offence. The CNIL ruled that the company had breached the French Data Protection Act in two places, again by depositing advertising cookies on the computers of individuals visiting amazon.fr without obtaining prior consent.
[Edited by Luca Bertuzzi]