If you’re here, there’s no need for an elaborate introduction on what cookies are, why they are important, and the significance of cookie consent. You’re already aware that it’s crucial to adhere to specific terms when it comes to using non-essential cookies such as those for advertising and tracking on your website. We’ve all heard about the rules to follow and the severe consequences that await those who fail to comply. Here, we present 8 examples of companies that have faced substantial fines for violating cookie consent laws (and also how you can avoid the cookie consent fines).
To brush up, read next the key requirements of cookie consent laws or skip to the major cookie consent fines.
Basics of cookie consent
Cookie consent refers to the practice of obtaining user consent before placing or storing cookies on visitors’ devices through a website or online service. Cookie consent is an essential aspect of data privacy regulations, and there are specific conditions that need to be met for consent to be considered valid:
- Freely given: Consent must be given voluntarily and users should have a genuine choice to accept or reject the use of cookies. That means they should not be forced into giving consent with terms or conditions.
- Informed: Users must receive clear information about the purpose and implications of using cookies. This should include details on cookie types, data collection, processing, and sharing with third parties. Cookie consent banners should prominently offer options to accept (opt-in) or reject (opt-out) cookies, with particular attention given to making the opt-out option easily accessible. Websites must also provide access to policies like privacy and cookie policies, disclosing their detailed data processing practices involving cookies.
- Specific: Consent should be specific to each purpose for which cookies are used. Users should be able to grant or deny consent for different types of cookies, such as functional, analytical, or marketing cookies, based on their preferences.
- Unambiguous: Consent must be expressed through affirmative action or clear affirmative statement. It should not be inferred from inactivity or pre-ticked boxes. Users need to actively indicate their agreement or disagreement with the use of cookies.
- Revocable: Users should have the right to withdraw their consent at any time. The process for revoking consent should be as easy as granting it. Users should be informed about how they can withdraw their consent and have their cookies preferences updated or deleted.
- Demonstratable: Websites should maintain records of obtained consents to demonstrate compliance with data protection regulations. It is important to keep track of when and how consent was obtained, including any accompanying information provided to users.
By adhering to these valid conditions for cookie consent, companies can ensure that they respect users’ privacy rights, maintain transparency, and meet the requirements of data protection regulations.
8 companies that faced cookie consent fines
TikTok — $5.4 million
In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site.
The CNIL also found that TikTok did not adequately inform users about the purpose of cookies. These actions are part of France’s enforcement of cookie consent requirements, which aim to address tracking practices without proper consent. While the enforcement is limited to France, it may have broader implications for companies operating in the EU. TikTok stated that they have addressed the issues and will be prioritizing user privacy in the future.
Microsoft — $65 million
On December 22, 2022, Microsoft Ireland was fined €60 million ($65 million) by CNIL for not providing an easy option to refuse cookies on bing.com. CNIL’s investigations found cookies being used for advertising purposes without user consent.
The fine was based on the extent of data processing, affected users, and profits generated from the data collected using these cookies.
Microsoft was ordered to obtain consent from French users before depositing advertising cookies, with a daily penalty of €60,000 for non-compliance. CNIL determined that the company breached Article 82 of the French Data Protection Act by depositing cookies without consent and by not providing a compliant means of collecting consent.
Sephora — $1.2 million
In August 2022, Sephora, a prominent beauty retailer, became the first company publicly fined for violating California’s Consumer Privacy Act (CCPA). California Attorney General announced a settlement with Sephora to address the alleged CCPA violations, which include:
- Using data tracking technologies such as cookies that sent consumers’ data to external ad tech and analytics companies without properly informing or offering an opt-out choice to consumers. The CCPA requires businesses to either set up contracts with vendors to ensure compliant data handling or offer consumers a means to opt out, but Sephora did neither.
- Failing to process consumer opt-out requests made through universal privacy controls like the Global Privacy Control (GPC).
- Failing to take corrective action within the 30-day cure period allowed by the CCPA for businesses to address violations. (The right to cure violations under the CCPA is no longer available with the implementation of the CPRA)
As a result, Sephora was fined $1.2 million and ordered to meet the following terms:
- Revise online disclosures and privacy policy to explicitly state their personal information selling practices.
- Establish mechanisms that allow consumers to opt out of the sale of their personal information, including through the utilization of Global Privacy Control.
- Ensure that service provider agreements align with the requirements outlined by the CCPA.
Provide regular reports to the Attorney General detailing personal information sales, service provider relationships, and compliance with the Global Privacy Control.
Google — $162 million
On December 31, 2021, Google was fined a total of €150 million ($162 million) by the CNIL for not providing an easy way for users on google.fr and youtube.com to refuse cookies compared to accepting them.
CNIL conducted an investigation after receiving complaints and found that while Google offered a one-click option to accept cookies, there was no similarly user-friendly solution to reject them. This discrepancy violated users’ freedom of consent and discouraged cookie refusal.
The fines, €90 million ($97 million) for Google LLC and €60 million ($65 million) for Google Ireland Limited, were justified based on the number of affected users and the significant profits derived from advertising revenue tied to collected data. In addition to the fines, CNIL issued an injunction requiring Google to provide a simplified means for French internet users to refuse cookies within three months, with daily penalty payments for non-compliance.
CNIL emphasized that Google had been previously warned about the violation and the importance of making cookie refusal as simple as acceptance.
Google was given a three-month deadline to simplify the cookie refusal process or face a daily penalty of €100,000. The CNIL, as the French data protection authority, has jurisdiction over cookie-related operations. Google France was considered an establishment on French territory, and both Google LLC and Google Ireland Limited were held jointly responsible for cookie use. The “one-stop shop” mechanism under the GDPR did not apply in this case, as cookie operations fall under the ePrivacy Directive, covered by the French Data Protection Act.
Google complied by adding a “Only allow essential cookies” button next to the accept button within the deadline. Consequently, the CNIL closed this particular case on July 13, 2023.
However, this closure does not affect future assessments by the CNIL regarding the overall compliance of these websites with the French Data Protection Act.
Facebook — $65 million
On December 31, 2021, Facebook Ireland Limited was fined €60 million ($65 million) by the CNIL for making it difficult for users in France to refuse cookies on Facebook.com. The CNIL received complaints and found that accepting cookies was easy with a single click while rejecting them required multiple clicks and was less prominent. This complex process discouraged users from refusing cookies, violating their freedom of consent.
The restricted committee also found Facebook’s information unclear as users had to click on a button labeled “Accept cookies” to refuse them, causing confusion. They judged these methods and lack of clarity to be violations of Article 82 of the French Data Protection Act.
Like Google, CNIL gave Facebook a three-month deadline to simplify the cookie refusal process or face a daily penalty of €100,000. Similarly, the GDPR “one-stop shop” mechanism did not apply here as well.
Amazon — $38 million
On December 7, 2020, the French data protection authority, CNIL, sanctioned Amazon Europe Core a fine of €35 million ($38 million). The company placed advertising cookies on users’ computers without obtaining consent or providing sufficient information on the Amazon.fr sales site.
CNIL found two violations of the Data Protection Act:
- It automatically placed numerous advertising cookies on users’ computers without their consent, which was not essential for the service. This failure to obtain consent violated the obligation to seek user consent before depositing cookies.
- The banner displayed on the Amazon.fr site did not adequately inform French users about the cookies. It lacked clear information about the cookies objectives and how to refuse them.
Moreover, when users visited Amazon.fr after clicking on an advertisement on another website, the same cookies were placed on the user’s devices without displaying any banner, which was another violation.
This incident emphasizes the importance of obtaining explicit user consent and providing transparent information about cookies, especially for advertising purposes.
Carrefour — $3.23 million
In November 2020, the CNIL fined Carrefour, a retail and wholesaling corporation, a total of €3 million ($32.3 million) following inspections at Carrefour France and Carrefour Banque. The CNIL discovered multiple GDPR violations, including a breach of cookie consent.
Regarding cookies, the CNIL found that both the carrefour.fr and carrefour-banque.fr websites placed cookies on users’ devices without obtaining their consent. Some of these cookies were used for advertising purposes, requiring prior consent. The companies modified their website functionalities during the procedure to ensure that advertising cookies are no longer placed without user consent.
Carrefour also violated GDPR requirements in other areas, such as inadequate information provision, excessive data retention, unjustified identity verification, failure to respond to requests, and transmit more data than disclosed. The company made changes to address these issues during the procedure.
Consequently, Carrefour France was fined €2.25 million ($2.42 million), and Carrefour Banque received a penalty of €800,000 ($861,868). Despite the infringements, no compliance injunction was issued due to the significant efforts made to rectify the issues.
Twitter – $32,320
On June 9, 2020, the Spanish Data Protection Agency (AEPD) imposed a €30,000 ($32,320) fine on Twitter for alleged non-compliance with Law 34/2002 on information society services and electronic commerce. The complaint raised concerns about Twitter’s insufficient disclosure of cookie information and lack of clarity regarding the involvement of third-party partners. The investigation revealed that Twitter automatically stored various cookies on its website for analytics, customization, and advertising purposes. Despite being notified of the proceedings, Twitter did not provide a response. The utilization of non-essential cookies without clear information or options for users to opt out or manage them was considered a violation of the law. Consequently, the fine was imposed, taking into account the intentional nature of the violation and other relevant criteria.
Twitter’s fine is relatively small compared to fines imposed on other companies and even its own revenue. This holds true for many companies, as they often earn much more annually than the fines they receive. However, it still serves as a crucial reminder not to underestimate the importance of cookie consent laws. Non-compliance can have severe consequences, particularly for small businesses.
Here’s a solution that will guarantee you are legally safe from any cookie consent violation.
Avoid cookie consent fines with CookieYes
To avoid cookie consent fines and ensure legal compliance, it is essential to implement a robust cookie consent solution like CookieYes. CookieYes is a user-friendly and customizable cookie consent management platform that helps websites adhere to cookie consent laws.
Here are some features provided by CookieYes that can help you stay legally safe:
- Customizable cookie consent banners: CookieYes allows you to modify the cookie consent banners to align with your website’s branding while ensuring compliance with legal requirements. You can easily customize the appearance, content, language, and behavior of the banner to match your website’s aesthetics. That also means, you can edit the cookie message per your data processing practice.
- Opt-in/Opt-out buttons: The default banner layout includes clearly labeled “Accept all” and “Reject all”, allowing users to make informed choices regarding cookies. In addition to these options, there is a third button that provides further settings for customizing cookie preferences.
- Granular cookie consent: You can implement granular cookie consent options, allowing users to choose their preferences for different types of cookies. This ensures that users have control over their data and can opt in or opt out of specific cookie categories based on their preferences.
- Automatic cookie scanning: CookieYes automatically scans your website for cookies and provides you with a comprehensive cookie list. This helps you understand the types of cookies used on your site and facilitates transparency in informing users about their purpose.
- Third-party cookie auto-blocking: CookieYes automatically blocks websites from placing any third-party cookies until the user makes a choice. If users actively accept these cookies, they will be unblocked; otherwise, the cookies will remain blocked.
- Cookie consent logging: You can maintain records of user consent, allowing you to demonstrate compliance with privacy regulations. You can keep a log of when and how consent was obtained, including any accompanying information provided to users such as the type of cookies accepted.
- Cookie policy generator: CookieYes provides a cookie policy generator that helps you create a detailed and compliant cookie policy for your website. The policy includes essential information about the types of cookies used, their purpose, data processing practices, and how users can manage their cookie preferences.
- Seamless integrations: CookieYes seamlessly integrates with all major content management systems (CMS) like WordPress, Shopify, Wix, etc., as well as custom-coded websites. Furthermore, it can be easily implemented with Google Tag Manager, and it is fully compatible with Google Consent Mode. What’s even more advantageous is that our platform fully supports and respects DNT (Do Not Track) and GPC (Global Privacy Control) signals.
By implementing CookieYes, you can ensure that your website respects users’ privacy rights, provides clear and informed cookie consent options, and meets the requirements of data privacy regulations. Avoiding cookie consent fines becomes easier when you have a reliable solution in place.