TikTok — $5.4 million

In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site. 

The CNIL also found that TikTok did not adequately inform users about the purpose of cookies. These actions are part of France’s enforcement of cookie consent requirements, which aim to address tracking practices without proper consent. While the enforcement is limited to France, it may have broader implications for companies operating in the EU. TikTok stated that they have addressed the issues and will be prioritizing user privacy in the future.

Microsoft -$65 Million

On December 22, 2022, Microsoft Ireland was fined €60 million ($65 million) by CNIL for not providing an easy option to refuse cookies on bing.com. CNIL’s investigations found cookies being used for advertising purposes without user consent. 
The fine was based on the extent of data processing, affected users, and profits generated from the data collected using these cookies. 
Microsoft was ordered to obtain consent from French users before depositing advertising cookies, with a daily penalty of €60,000 for non-compliance. CNIL determined that the company breached Article 82 of the French Data Protection Act by depositing cookies without consent and by not providing a compliant means of collecting consent. 

Sephora — $1.2 million

In August 2022, Sephora, a prominent beauty retailer, became the first company publicly fined for violating California’s Consumer Privacy Act (CCPA). California Attorney General announced a settlement with Sephora to address the alleged CCPA violations, which include:
Using data tracking technologies such as cookies that sent consumers’ data to external ad tech and analytics companies without properly informing or offering an opt-out choice to consumers. The CCPA requires businesses to either set up contracts with vendors to ensure compliant data handling or offer consumers a means to opt out, but Sephora did neither. 
Failing to process consumer opt-out requests made through universal privacy controls like the Global Privacy Control (GPC). Failing to take corrective action within the 30-day cure period allowed by the CCPA for businesses to address violations. (The right to cure violations under the CCPA is no longer available with the implementation of the CPRA)
As a result, Sephora was fined $1.2 million and ordered to meet the following terms:
Revise online disclosures and privacy policy to explicitly state their personal information selling practices.

Google — $162 million

On December 31, 2021, Google was fined a total of €150 million ($162 million) by the CNIL for not providing an easy way for users on google.fr and youtube.com to refuse cookies compared to accepting them.
CNIL conducted an investigation after receiving complaints and found that while Google offered a one-click option to accept cookies, there was no similarly user-friendly solution to reject them. This discrepancy violated users’ freedom of consent and discouraged cookie refusal.
The fines, €90 million ($97 million) for Google LLC and €60 million ($65 million) for Google Ireland Limited, were justified based on the number of affected users and the significant profits derived from advertising revenue tied to collected data. In addition to the fines, CNIL issued an injunction requiring Google to provide a simplified means for French internet users to refuse cookies within three months, with daily penalty payments for non-compliance.

Facebook — $65 million

On December 31, 2021, Facebook Ireland Limited was fined €60 million ($65 million) by the CNIL for making it difficult for users in France to refuse cookies on Facebook.com. The CNIL received complaints and found that accepting cookies was easy with a single click while rejecting them required multiple clicks and was less prominent. This complex process discouraged users from refusing cookies, violating their freedom of consent.
The restricted committee also found Facebook’s information unclear as users had to click on a button labeled “Accept cookies” to refuse them, causing confusion.
They judged these methods and lack of clarity to be violations of Article 82 of the French Data Protection Act. Like Google, CNIL gave Facebook a three-month deadline to simplify the cookie refusal process or face a daily penalty of €100,000. Similarly, the GDPR “one-stop shop” mechanism did not apply here as well.

Amazon — $38 million

On December 7, 2020, the French data protection authority, CNIL, sanctioned Amazon Europe Core a fine of €35 million ($38 million). The company placed advertising cookies on users’ computers without obtaining consent or providing sufficient information on the Amazon.fr sales site.
CNIL found two violations of the Data Protection Act:
It automatically placed numerous advertising cookies on users’ computers without their consent, which was not essential for the service. This failure to obtain consent violated the obligation to seek user consent before depositing cookies.
The banner displayed on the Amazon.fr site did not adequately inform French users about the cookies. It lacked clear information about the cookies objectives and how to refuse them.
Moreover, when users visited Amazon.fr after clicking on an advertisement on another website, the same cookies were placed on the user’s devices without displaying any banner, which was another violation.
This incident emphasizes the importance of obtaining explicit user consent and providing transparent information about cookies, especially for advertising purposes.

Carrefour — $3.23 million

In November 2020, the CNIL fined Carrefour, a retail and wholesaling corporation, a total of €3 million ($32.3 million) following inspections at Carrefour France and Carrefour Banque. The CNIL discovered multiple GDPR violations, including a breach of cookie consent.
Regarding cookies, the CNIL found that both the carrefour.fr and carrefour-banque.fr websites placed cookies on users’ devices without obtaining their consent.
Some of these cookies were used for advertising purposes, requiring prior consent. The companies modified their website functionalities during the procedure to ensure that advertising cookies are no longer placed without user consent.
Carrefour also violated GDPR requirements in other areas, such as inadequate information provision, excessive data retention, unjustified identity verification, failure to respond to requests, and transmit more data than disclosed.
The company made changes to address these issues during the procedure. Consequently, Carrefour France was fined €2.25 million ($2.42 million), and Carrefour Banque received a penalty of €800,000 ($861,868). Despite the infringements, no compliance injunction was issued due to the significant efforts made to rectify the issues.

Twitter – $32,320

On June 9, 2020, the Spanish Data Protection Agency (AEPD) imposed a €30,000 ($32,320) fine on Twitter for alleged non-compliance with Law 34/2002 on information society services and electronic commerce. The complaint raised concerns about Twitter’s insufficient disclosure of cookie information and lack of clarity regarding the involvement of third-party partners. The investigation revealed that Twitter automatically stored various cookies on its website for analytics, customization, and advertising purposes. Despite being notified of the proceedings, Twitter did not provide a response. The utilization of non-essential cookies without clear information or options for users to opt out or manage them was considered a violation of the law. Consequently, the fine was imposed, taking into account the intentional nature of the violation and other relevant criteria.

Twitter’s fine is relatively small compared to fines imposed on other companies and even its own revenue. This holds true for many companies, as they often earn much more annually than the fines they receive. However, it still serves as a crucial reminder not to underestimate the importance of cookie consent laws. Non-compliance can have severe consequences, particularly for small businesses.