Why the CNIL sanctioned Google and Amazon about cookies - The EE

Why the CNIL sanctioned Google and Amazon about cookies

Gianclaudio Malgieri of EDHEC Augmented Law Institute

The CNIL’s penalties on Google (€100 million) and Amazon (€35 million) of last December reaffirm that data subjects’ consent for cookies should be as free and informed as possible.

CNIL is the Commission Nationale de l’Informatique et des Libertes. It is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.

In terms of ‘informed’ consent, says Prof. Dr. Gianclaudio Malgieri of EDHEC Augmented Law Institute, it is necessary that individuals know exactly and immediately what the options and the implications in terms of cookies are, before cookies are installed on their hardware devices.

This recalls the CJEU decision (Planet 49 Case) which found that even the average individual is not willing/able to read complex and long information notices. If cookies are installed before any clear cookie-alert is shown, they are illegal.

In terms of ‘free’ consent, it is important that the individual has a real choice about cookies. Having real choice means not only the ability to refuse cookies, but that it is easy do so: the subject should be able to easily understand how to say yes or no, without the need to scroll through additional pages and/or click on ambiguous buttons.

The GDPR and cookie walls

Looking at the GDPR (the EU’s General Data Protection Regulations) and the European Data Protection Board’s opinion, we know that cookie-walls (i.e., a no-choice banner about cookies, which data subjects can just ‘accept’ to continue exploring a website) are generally prohibited. With this new judgement, we can also say that de facto cookie walls (i.e., obscure banners where refusing cookies is much more difficult than accepting them), are prohibited.

The ultimate principle that big tech businesses need to consider is that the internet user (the data subject) cannot be expected to be so wary, informed and rational as to be able to refuse cookies after a long obstacle course race. The optimal option is a yes-no banner when entering the website and before any cookie is installed.

Reform is vital

This CNIL’s decision stresses the importance of a reform of the e-Privacy directive and, therefore, the approval of new e-Privacy Regulations.


There are three reasons.

Firstly, because cookie-related privacy rules are still too based on national differences within the EU (the French CNIL has stricter rules and enforcement practices, while other Data Protection Authorities seem more lenient) and this could create the risk of “forum shopping”.

Secondly, because the e-privacy directive seems incompatible with the new stricter consent requirements of the GDPR and this ambiguity needs to be solved soon. For example, in the directive, a silent consent can be tolerated, while in the GDPR consent should be unambiguous, free and informed.

Thirdly, because the GDPR is an international mechanism of cooperation among different Member States Data Protection Authorities (in terms of sanctions, legal proceedings, etc.) that cannot be applied to the cookie-related issue at the moment, it would be extremely beneficial to have a higher legal certainty.

A digital single market

In this particular case, while Google was claiming that the Irish Data Protection Authority should have been responsible for the sanction proceedings (since Google’s European headquarters is in Ireland), Amazon was claiming that in its case only Luxembourgian rules about cookies should be considered (since the Amazon headquarters in Europe is in Ireland). This ambiguity is not beneficial to a clear and mature ‘digital single market’ in the European Union.

In sum, this latest episode of the battle between regulators and Big Tech shows that big companies cannot easily circumvent data protection rules about consent through obscure labyrinths that highly discourage even the most attentive internet user from refusing cookies.

In addition, this story teaches us that the enforcement of data protection is really dependent on the “legal activism” of each single National Data Protection Authority.

The author is Prof. Dr. Gianclaudio Malgieri of EDHEC Augmented Law Institute.

Follow us and Comment on Twitter @TheEE_io

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.