This newsletter briefly discusses two landmark judgments of the French Commission Nationale De L’informatique Et Des Libertés (“CNIL”) on cookie usage by websites; along with cookie centric compliances in India.
2.1 Amazon Europe Case
(a) Background: On June 27, 2022, the French Council of State confirmed a fine of €35 million against Amazon Europe Core (“Amazon”) for breach of Article 82 of the French Data Protection Act, 1978. The fine was originally imposed by a restricted committee of the CNIL. Both CNIL and Council of State held that Amazon had deposited cookies on user terminals without obtaining consent required under Article 82.
Article 82 states that (i) a user of an electronic communications service must be informed in a clear, complete manner of the purpose of access to the user’s terminal, and the means available to object to such action; and (ii) the user must give explicit consent after having received such information, which may even be expressed through browser settings.
(b) Contentions: CNIL’s ruling was premised on two major misses by Amazon (i) deposit of cookies on user terminals without obtaining explicit consent; and (ii) insufficient information provided to the user before depositing cookies in their terminal.
With respect to the first ground, Amazon asserted it was incorporated in Luxembourg and accordingly, only Luxembourg law was applicable to it, which did not require explicit user consent for depositing cookies. Invalidating this assertion, CNIL held that French law would be applicable as Amazon had a (i) French establishment that was providing marketing solutions, and (ii) cookies were deposited on users accessing Amazon France’s website. CNIL observed that Amazon France website placed more than 40 advertising cookies on the user’s terminal, without seeking express consent. It was held that to constitute effective consent, users must be fully informed of the purpose of cookies along with the means to refuse them. CNIL referred to its recommendation of September 17, 2020 and reiterated that information related to cookies must be visible, highlighted and complete; and data controllers must implement a two-step consent collection mechanism wherein users (i) must be informed of the precise purpose of the cookies, the possibility of refusing them and changing the settings by clicking on a link in the banner; and (ii) must be informed in a simple and intelligible way to accept or refuse all or part of the cookies. CNIL observed that the information banner presented on Amazon France’s website did not mention the means available for refusing the cookies, and such information was either non-existent or incomplete.
(c) Decision: CNIL observed that almost 300 million Amazon identifiers were allocated in France over a period of 9 months, and this volume reflected the central place occupied by Amazon in the daily lives of people residing in France. Noting the gravity of the breach and Amazon’s turnover, CNIL imposed the fine along with an injunction against depositing cookies without complying with CNIL’s recommendations of September 17, 2020.
2.2 Google LLC and Google Ireland Case
(a) Background: On December 31, 2021, CNIL imposed a fine of €60 million against Google Ireland Limited, and €90 million against Google LLC Limited (collectively “Google”) for breach of Article 82 of the French Data Protection Act. The judgment was preceded by several complaints against the complexity of the refusal mechanism for cookies on Google’s French websites.
Significantly, this was not the first time when Google was penalised for its cookie usage. In December 2020, a restricted committee of CNIL had also observed that Google had not adequately informed users of the purpose of cookies and the means available to refuse such cookies.
(b) Contentions: Google asserted that simplification of the refusal process was not envisioned by the law, and CNIL could not transpose new legal requirements. As long as Google provided a refusal mechanism, it was irrelevant how the mechanism operated.
CNIL observed that consent provided by a user must be free, specific, informed, unambiguous, and must be manifested in a clear, positive act. Such consent cannot be regarded as freely given if the user has no free choice or is unable to refuse or withdraw consent without detriment. A check carried out by CNIL’s delegation found that accepting cookies simply required the user to click on an I accept button; however, refusing cookies required the user to undertake five steps before they could be removed. It was observed that such mechanisms implicitly encourage users to accept cookies, rather than going through a lengthy mechanism to refuse them. Presenting a difficult process for refusing cookies only creates an illusion of choice. The methods by which this refusal can be expressed, biases the expression of choice in favour of acceptance. Further, CNIL noted that websites that provided a refuse all button for cookies saw a decrease in the acceptance of cookies.
Refuting Google’s contention, CNIL further observed that, under Article 81(2)(b) of the GDPR, it has the powers to draw up and publish guidelines, recommendations, or references to facilitate compliance with the data protection law, and referred to its recommendations of July 2019. Article 2.30 of these recommendations state that “data controllers must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity.” CNIL observed that the 2019 recommendations only illustrate the law in concrete terms, and do not create new obligations.
(c) Decision: Consequently, noting the reluctance of Google to adopt mandatory legal compliances despite previous decisions against its cookie practices, and the turnover earned, CNIL imposed fines along with injunction against continuing the present mechanism for refusal of cookies.
3. Regulation of cookies in India
Presently, India does not have a law on data privacy, and data protection is primarily governed by the Information Technology Act, 2000 (“IT Act”) along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”). There is also no law, regulation, or guideline on cookie related compliances. However, to the extent cookies deposited on a user’s system access any sensitive personal data, such access will be governed by the SPDI Rules.
Rule 6 of the SPDI Rules require body corporates to obtain consent in writing, whether through email or fax or letter, for collection of sensitive personal data. This consent must be obtained prior to the collection. Further, while collecting information, it must be ensured that the data subject has the knowledge (a) that information is being collected; (b) of the purpose of collection; (c) the intended recipients; and (d) the name and address of the agency collecting the information and agency that will retain the information. Rule 6(7) requires that data subjects be provided the option to refuse the collection of their data.
To summarise, an Indian entity using cookies on their websites, platforms, applications, should ideally comply with the following minimum requirements, in order to avoid any potential future actions:
- Explain the nature, type, purpose of the cookies in clear, explicit terms and make such information easily accessible to the user;
- Seek explicit consent of the user and do not transmit cookies to the user’s browser before obtaining such consent; and
- Provide a clear right to refuse the cookies, and make the rejection mechanism for cookies as simple as acceptance.
Non-compliance may attract penalty under the IT Act. For instance, Section 43 of the IT Act provides that if any person accesses or secures access to a computer system or network, or downloads, copies, or extracts any data from such computer system or network, or introduces any computer contaminant, shall be liable to pay damages to the affected user.
 French administrative body ensuring application of data privacy laws
 Highest court of appeal in France
 The recommendations, lay down certain basic compliances that must be followed by entities using cookies. These compliances are centred around obtaining free, informed, and explicit consent, providing clear right of refusal and withdrawal, etc. The recommendations can be accessed here: Délibération n° 2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d’un utilisateur (notamment aux « cookies et autres traceurs ») et abrogeant la délibération n° 2019-093 du 4 juillet 2019 (cnil.fr)
 This has been repealed by the recommendations of September 17, 2020
 The recommendations state that: the mechanism for expressing a refusal to consent to read and/or write operations be accessible on the same screen and with the same facility as the mechanism for expressing consent
 “Intermediary,” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes