Amazon.com Inc. has been hit with the biggest ever GDPR privacy fine—a whopping 746 million-euro ($887 million) penalty—for violating the European Union’s data protection rules.
Luxembourg’s data protection authority, the CNPD, slapped Amazon with the record-breaking fine in a July 16th decision that accused the online retailer of violating the rules of the EU’s General Data Protection Regulation (GDPR) while processing personal data and tracking consumers for advertising purposes.
The decision was disclosed in an Amazon SEC filing released Friday, in which the online retail giant protested the ruling and vowed to “defend ourselves vigorously in this matter,” signaling its intent to appeal the ruling and fight it in the European courts.
Why Was Amazon Fined by the GDPR?
The specifics of the ruling are unavailable, as the CNPD does not comment on open cases, and Amazon did not specify what, specifically, was targeted by the CNPD, but we can gleam some information from the situation surrounding the ruling.
July’s penalty is the result of a complaint filed in 2018 by French privacy rights group La Quadrature du Net. That complaint, which also targeted Facebook, Apple, Google, and LinkedIn, accused Amazon of manipulating the advertising and information served to customers without their consent.
In a statement, La Quadrature du Net celebrated the CNPD’s ruling. “The decision seems unambiguous: the advertising targeting system imposed by Amazon is carried out without our free consent, in violation of the GDPR.”
“There has been no data breach, and no customer data has been exposed to any third party,” Amazon said in the statement. “These facts are undisputed. We strongly disagree with the CNPD’s ruling.”
That statement implies that a data breach must occur in order to constitute a non-compliant event, a narrative that La Quadrature du Net takes issue with. In response, the group notes that “it is the targeted advertising system itself that our complaints intend to wipe out as a whole, and not a few occasional security breaches.”
Amazon also questioned the validity of the GDPR interpretations that set precedent for this fine:
“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
How can the CNPD issue such massive fines?
Under the GDPR, data protection agencies can issue fines of as much as 4% of a company’s annual global sales. For Amazon, that would be approximately 15 billion USD. Until the CNPD’s ruling, the biggest fine to date was a 50 million-euro penalty against Google issued by France’s CNIL.
Consent violations are nothing new, but such harsh penalties are unusual. Last week, France’s data protection authority, the CNIL, issued 40 formal notices of noncompliance regarding tracking and consent, but notified organizations will have until Sept. 6th to bring themselves into compliance before fines are issued. With the issue of such a massive fine, the CNPD could be ushering in a new era of much stricter GDPR enforcement.
What are the GDPR’s rules on consent and tracking?
Here are some basic facts of the GDPR’s consent rules, per the latest interpretation from the Italian data protection authority, which closely mirrors the French guidelines:
- Non-essential tracking cookies must be set to opt-out by default.
- A consent banner must be clearly distinguishable on the web page and offer users the possibility of continuing without being tracked (opt-out).
- Soft opt-in, in which consent is assumed when a user navigates away from the banner without rejecting or denying consent, is not allowed.
- Cookie walls, i.e., Consent banners that deny users access to a webpage if they don’t consent to cookies and trackers, are forbidden.
- Site owners may not resubmit a consent banner to users who denied it at each new access to the website. The user’s choice to opt-out must be duly recorded, and no longer solicited.
- Users have a “right to reconsider” and withdraw their consent at any time. Therefore, a website must provide a permanent link to the privacy policy and consent choices.
Do the GDPR’s rules apply to my business?
Any website or application that targets EU visitors must comply with the GDPR. That means if you offer goods or services in Europe through your website, you must be compliant with the GDPR, as well as the local data protection authority’s guidelines. (e.g., offering content in French, or shipping or buying in France) is subject to French cookie requirements.
How Ensighten can help
As guidelines and regulations continue to evolve, marketers and site owners must remain vigilant in updating and maintaining compliance. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.
With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
Ensighten CMP+ offers real-time enforcement, so user preferences are applied instantaneously, and no cookies or tracking measures are fired before consent is given.
And it’s easy to use. Our low-code, zero-integration deployment means Ensighten CMP+ can be added to every iteration of your website with a simple line of code.
You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use, and identify potential security or compliance issues.
Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.
Ensighten
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.
