By Jonathan J. Rusch[1]
It should be no surprise to any company doing business in the European Union that if it wants to use “cookies” – small text files stored in an Internet user’s computer to identify that user — for advertising purposes, it must abide by the provisions of EU law pertaining to data privacy. Recitals 26 and 28 of the General Data Protection Regulation (GDPR) make clear that any data that can be used to identify an individual either directly or indirectly is considered personal data. Moreover, for more than a decade the EU E-privacy Directive has recognized that users have a right to refuse cookies when an entity’s website seeks to place cookies on the users’ computers.
Even so, in 2020 the French Data Protection Authority (CNIL) imposed a total of €100 million on fines on a world-leading technology company, Google, for failure to comply with the obligation to obtain users’ consent before it installed advertising cookies or other tracking devices. The CNIL did so pursuant to Article 82 of the French Data Protection Act, which transposes the E-privacy Directive. Google then appealed to the French Conseil d’État, the highest French court for cases involving public administration, in an effort to annul the fines.
On February 1, the Conseil d’État rejected Google’s position and affirmed the CNIL fines. In its decision, the Conseil d’Etat confirmed that the CNIL had the power to intervene as it did. It also found that Google had failed to provide users with clear and complete information or to obtain their prior consent to cookie placement, and had a defective cookie refusal procedure. The Conseil took note of the fact that an audit that the CNIL conducted in March 2020 disclosed “that seven cookies were automatically installed on users’ computers as soon as they visited the site, four of which were only used for advertising purposes.” During that audit procedure, Google “modified its practices in August 2020, but continued not to inform the user directly and explicitly about the purposes of its cookies and the means of objecting to them.”
The Conseil further noted that the amount of the fines that the CNIL imposed did not exceed the limit set by the French Data Protection Act, and that the fines were not disproportionate in view of the significant profits generated by the data collected through advertising cookies, and of Google’s dominant market share in France (more than 90 percent, which equates to approximately 47 million users).
Google reportedly is already looking ahead to replacing its advertising cookies with “a new system called Topics, in which advertisers will place ads via a limited number of topics determined by users’ browser activity.” At other firms doing business in the EU, however, Chief Privacy Officers and Chief Compliance Officers should take note of the Conseil d’État decision and compare the Conseil’s findings against their own cookie policies and practices. Although certain aspects of data-protection law can be exceptionally complex, providing clear guidance to internet users about prior consent to or refusal of cookies should not be.
[1] Jonathan J. Rusch is Adjunct Professor and Co-Director of the U.S. and International Anti-Corruption Law Program at American University Washington College of Law and Adjunct Professor at Georgetown University Law Center.
Leave a Reply