Blog

CNIL fines Carrefour and Carrefour bank for setting cookies without consent

France: Setting advertising cookies just became expensive for Carrefour and Carrefour Bank as the CNIL imposed fines of €2,250,000 and €800,000 for several breaches to the GDPR.

Is my website compliant?

CNIL fines Carrefour for breaches to the GDPR

On November 26, 2020, the French Data Protection Authority CNIL announced it had issued fines on Carrefour and Carrefour Bank for failing to obtain users’ consent before setting advertising cookies.

Moreover, the CNIL held that Carrefour Bank had also failed to provide adequate and complete information on its website regarding a ‘pass card’ online subscription.

It therefore sanctioned Carrefour France with a fine of €2,250,000 and Carrefour Banque with a fine of €800,000. 

On the other hand, the CNIL did not issue an injunction as significant efforts has been made to correct processes and bring identified breaches into compliance.

Failed to collect valid consent to cookies

The CNIL noted that, when a user connects to the carrefour.fr site or the carrefour-banque.fr site, several cookies were automatically placed on the user’s device (computer/phone), before any action was taken on the site. 

Several of these cookies are used for advertising, however the user’s consent should have been collected before placing the tracking cookies.

The companies have later modified the way their websites function during the procedure. No advertising cookies are now deposited before the user has given their consent.

Link: CNIL updates guidelines to cookies

How to collect valid consent to cookies

When your website uses cookies, either first-party cookies or third-party cookies from services like Google Analytics, Facebook Pixel, LinkedIn Insights or YouTube, you are required to collect your users’ valid consent to cookies.

Cookies from abovementioned services all collect your users’ personal data for processing. Therefore, using these types of cookies requires you to collect a consent which meets the requirement of recital 32 in the GDPR.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her (..) Silence, pre-ticked boxes or inactivity should not therefore constitute consent”.

GDPR Recital 32

When it comes to informing users about cookies, obtaining and storing valid consents, you should use a certified Consent Management Platform.

With a Consent Solution from Cookie Information, you will receive a cookie consent pop-up that will:

Checklist for collecting
valid consent to cookies

Avoid fines like Carrefour and Carrefour Bank. Collect valid consent to cookies and become GDPR compliant on your website. Start today and we’ll guide you all the way.

References

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email
We have already helped more than 1,500 clients

Start your free trial

No credit card needed

client_logos

Not Sure Yet?

Get a free compliance check to see if you need a consent solution.

Follow Cookie Information
and stay informed on privacy news

Sign up for our newsletter

About us

Cookie Information is a Privacy Tech company specialized in developing software that helps you and your company making your websites and mobile apps GDPR and ePrivacy compliant.

Contact information

Cookie Information A/S

Kristen Bernikows Gade 4,
1105 Copenhagen K, Denmark

VAT: DK-38758292

Copyright © 2021

Thank you for signing up to our newletters

We are excited to start sending you news & tips & tricks about our CMP.

You can unsubscribe at any time.