Back to Feed
GDPRJul 17, 2026

CNIL (France) - SAN-2020-013

CNIL fines Amazon Europe Core €35M for non-consensual cookie placement and insufficient disclosure.

Summary

The French Data Protection Authority (CNIL) imposed a €35 million fine on Amazon Europe Core in December 2020 for placing commercial tracking cookies without user consent and failing to provide adequate information about cookie usage. Amazon challenged CNIL's territorial competence and investigation legality, but the DPA upheld its jurisdiction and enforcement actions under GDPR Articles 6, 9, and 83, as well as the ePrivacy Directive.

Full text

Help CNIL (France) - SAN-2020-013: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 17:10, 6 December 2023 view sourceAr (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators2,246 editsm ← Older edit Latest revision as of 11:09, 17 July 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators479 editsm Tag: Visual edit Line 32: Line 32: |GDPR_Article_Link_4=Article 94 GDPR|GDPR_Article_Link_4=Article 94 GDPR |EU_Law_Name_1=Directive 2002/58/EC|EU_Law_Name_1=ePrivacy Directive 2002/58/EC |EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=FR|EU_Law_Link_1=https://eur-lex.europa.eu/eli/dir/2002/58/oj |National_Law_Name_1=Ordonnance n° 2014-1329 du 6 novembre 2014 relative aux délibérations à distance des instances administratives à caractère collégial|National_Law_Name_1=Ordonnance n° 2014-1329 du 6 novembre 2014 relative aux délibérations à distance des instances administratives à caractère collégial Latest revision as of 11:09, 17 July 2026 CNIL - SAN-2020-013 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 6 GDPR Article 9 GDPR Article 83 GDPR Article 94 GDPR ePrivacy Directive 2002/58/ECOrdonnance n° 2014-1329 du 6 novembre 2014 relative aux délibérations à distance des instances administratives à caractère collégialloi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés Type: Investigation Outcome: Violation Found Started: Decided: 07.12.2020 Published: 10.12.2020 Fine: 35000000 EUR Parties: Amazon Europe Core National Case Number/Name: SAN-2020-013 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: Legifrance (in FR) Initial Contributor: Roka The French DPA (CNIL) imposed a €35,000,000 fine on Amazon Europe Core for placing commercial cookies without data subject consent and providing insufficient information regarding the use of cookies. Amazon unsuccessfully tried to challenge the DPA's territorial competence and the legality of its investigation procedure. Contents 1 English Summary 1.1 Facts 1.2 Dispute 1.3 Holding 1.3.1 On the territorial competence of the CNIL 1.3.2 On the legality of the investigation procedure 1.3.3 On the placement of cookies prior to any action from the user 1.3.4 On the information of the user regarding cookies 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Between December 2019 and May 2020, the CNIL conducted three online and one on-site investigations on Amazon Europe Core (AEC), a subsidiary company of the Amazon group operating the shopping site amazon.fr. These investigations aimed at assessing the company's compliance with the French data protection law. The French DPA reported several infringements of the data protection law by AEC when placing cookies. The company responded by contesting the competence of the CNIL on this matter due to the fact that its main establishment is located in Luxembourg and by challenging the legality of the investigation procedure. Dispute Is the French DPA competent to sanction a company whose main establishment is not located in France? Does the investigation procedure of the CNIL infringes with the right to a fair trial as guaranteed by Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms? Did AEC infringe on the French data protection law by placing cookies on the user's computer prior to any action on its part? Did AEC failed to properly inform the user of its use of cookies? Holding The CNIL considered itself competent to investigate AEC and ruled that the company infringed on the French data protection law and on the Directive 2002/58/EC (ePrivacy) while placing cookies. As a consequence, the CNIL imposed a € 35000000 fine on AEC, coupled with an injunction to comply with the Law within three months with a € 100000 penalty per overdue day. Due to the seriousness of the wrongdoings and the high number of Amazon services' users, the CNIL decided to make this sanction publicly available for a two year period. On the territorial competence of the CNIL AEC argued that the French DPA is not competent to investigate on its activity due to the one-stop-shop principle of GDPR. To support this claim, AEC higlights that the CNIL's investigation initial purpose was, among other things, to ensure that the company complied with GDPR, meaning that the sanction could only be given by the authority relevant to the main establishment of the company in the EU. Furthermore, AEC argued that even though the investigation dealt with cookies which are regulated by the Directive ePrivacy, cookies cannot be dissociated from personal data processing, meaning that the GDPR rules on national competence should prevail. The CNIL rejected this interpretation and deemed itself competent as it was not only investigating GDPR infringements but also breaches of the Directive ePrivacy, transcribed into French law. It reminded that GDPR and ePrivacy each had their own investigating procedure when dealing with their respective requirements. Also, it clarifies that ePrivacy applies as a specialia generalibus derogant rule, based on the interpretation of Article 95 GDPR in the line of the Rec (173) GDPR and Article 1(2) and 15a of the ePrivacy Directive. The CNIL added that the investigation focused on the amazon.fr website targeting french customers. On the legality of the investigation procedure Regarding the legality of the procedure, AEC accuses the investigating party of submitting the company to questions without telling the purpose and legal basis of the controls carried out. This meant that the company could not exercise its right not to contribute to its own indictment . AEC also argued that the investigating party's method, involving reproducing a user's path was inaccurate as it did not allow to differentiate between Amazon's cookies and the ones placed by third parties when visiting other websites. The CNIL responded by quoting Article 18 of the French data protection law which states that the investigated body has to answer to the CNIL's questions without the CNIL having to justify them and that at the time of those questions no accusation was being made against AEC. Regarding the investigation method, the CNIL argued that it reproduced several user's path in order to determine which cookies were placed when visiting the Amazon website and that it excluded from the perimeter of the investigation those that originated from a third party website. As such, the CNIL considers its investigation procedure to be licit. On the placement of cookies prior to any action from the user While investigating, the CNIL noticed that more than 40 cookies for commercial purposes were placed on the user's device prior to any act of consent from its part. AEC responded that its cookie practice is subject to the Luxembourg law and not the French law and that Luxembourg allowed to base the consent on the cookie parameters of the web browser. The company added that it changed its french cookie policy in September 2020, but affirmed that it never infringed on the Luxembourg law on cookies. The CNIL rejected this argumentation, considering that the website targeted french customers, and that cookies for commercial purposes always require consent from the data subject as they are not part of the exemptions listed in Article 5(3) of the Directive ePrivacy transcribed in Article 82 of the French data protection law. On the information of the user regarding cookies The amazon.fr website displayed the following notice regarding cookies: "By using this site, you agree to os ar use of cookies to provide and improve our services. Further information" The DPA found that this wording is not sufficient in order to comply with the transparency principle as

Entities

Amazon (vendor)Amazon.fr (product)