Amazon Fined €35m for Breach of GDPR Advertising Cookies Laws

In a busy day for the French Data Protection Authority CNIL, it was announced on Thursday that e-commerce giant Amazon had been fined €35m for a breach of the European Union’s General Data Protection Regulation in relation to the placing of advertising tracking cookies on the devices of web users with seek their authorization for doing so.

This announcement comes on the same day that the CNIL announced a GDPR fine of €100m had been sanctioned against Internet giant Google. In it’s ruling, which you can read here,  CNIL said

As part of an official investigation CNIL discovered that Amazon’s French portals are failing to ask for the prior consent of visitors before placing advertising cookies, tiny pieces of data saved while using the Internet, on their computed and other devices.

In relation to the finding of the GDPR investigation, CNIL said that those using the French Amazon page who click on an advert are in danger of risk being exposed to privacy violations because cookies are instantly deployed without any information on their use being provided to users. It said that the regulatory body had “considered that the information banner displayed by the company, which was By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.’, only contained a general and approximate information regarding the purposes of all the cookies placed. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that it could refuse these cookies and how to do it.”

CNIL added that this sort of advertising cookie “can only be placed after the user has expressed his or her consent”. By placing it before this GDPR regulations were being breached. In addition it was revealed that Amazon had not provided clear or complete information about the cookies it placed on computers of users until a redesign in September 2020.

This GDPR penalty must be paid by its Luxembourg-based entity. Amazon released a statement which said that the company do no agree with CNIL’s decision. It said: “We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate”.

Amazon has also been given a time-period of three month to ensure that it is conforming with the GDPR requirements. Failing to do so will result sin additional daily fines of €100,000 for every day until GDPR compliance can be shown.