2 min read

Share this Blog

Rate this Post

Bittersweet Cookies – Google Fined With 100 Million Euros for Wrongfully Collecting Website Cookies


Cookies constitute an essential part of each internet search and the use of social media platforms, as well as when visiting numerous websites – it is a step which cannot be skipped.

Even though the majority of people do not even read the information presented to them before they click ‘Accept’ on a cookie banner, cookies are still very important.

Cookies are important to those individuals whose data is collected when they browse the internet, and of even greater importance to those companies that provide their services online. Whether you provide e-commerce services or other online services, the chances are that you are using cookies on your website – and when using cookies, you are obliged to have a Cookie Policy, based on the regulations on personal data protection.

Why Are Cookies So Important?

In most cases, the Cookie Policy represents an essential part of the Privacy Policy, although it is best to create a separate web page for the Cookie Policy. It consists of small files that are being sent to the end-users on the internet, and it enables the website owner to access those cookies afterwards and collect the data necessary for the functioning of their website, as well as their business in general.

The important thing about cookies is that they notify the end-users which cookies are active, what is their purpose, what user’s data is being tracked and collected, and finally, where all the information will be collected and stored. After this explanation, one becomes aware of the fact that cookies are extremely important, even though people do not pay much attention to them.

While creating the cookie policy, each part must be explained in detail, as after an internet user clicks on ‘Accept’ on a cookie banner, the user’s privacy and internet security become part of the equation.

Which Move Made by Google Is the Reason for the 100 Million Euro Fine?

In the same way as users had to choose the option ‘Accept’, Google now has to accept and pay the substantial fine imposed upon them, for violating the policy which they themselves provided and explained to users. The regulation which controls personal data protection in detail is widely known. The regulation in question is the one adopted by the European Union, ie the GDPR (General Data Privacy Regulation) . The aim of this regulation is to provide internet users with a broad spectrum of rights while browsing the internet, and to fine the companies that violate said regulations. Google LLC and Google Ireland know what it feels like to be fined, after the decision made on December 7th , 2020. French authorities for data protection (CNIL), based on the evidence they have found, concluded that the aforementioned company had violated the provisions of the regulation, and thus, without any basis, unlawfully collected the personal data of users, causing intangible damages.

This is not the first time that Google has been fined due to violating personal data protection regulations . Namely, France had noticed the violation of GDPR provisions the first time it had occurred. Back then, the oversight was also related to informing the user about the data being collected for the purpose of personalized ads. It seems that Google had no intention of changing their cookies, until the decision made by CNIL, although these cookies cause damage to end-users, who do not feel secure while using this internet browser.

As previously mentioned, it is necessary to provide users with a possibility to understand the cookies that will be active during their internet search process.

In the decision made on December 7, the French authorities stated that Google had no intention of respecting such procedures, thus violating the rules. CNIL has announced that on March 16, 2020, they have concluded in-depth processing of google.fr, and have found that there had been a substantial violation, since a number of cookies, mostly for ad-tracking purposes, have been placed into the user’s device, without their knowledge and the possibility of activating the cookies knowingly.

When one takes into account the GDPR regulations, and the investigation of the French authorities, it is clear that there has been a violation of the EU regulation. It must be noted that the ad-tracking cookies which were active without the user’s consent, are not strictly necessary cookies. The only basis for such a cookie, which collects essential data of individuals who share their information, and trust the companies that provide internet services, is the user’s consent. Without consent, ad-tracking cookies shall not and cannot be activated ‘in secret’. The only cookies which can be active without consent, and the end-user’s acceptance are strictly necessary cookies. However, it seems that Google LLC and Google Ireland do not share the legislator’s views.

The second argument confirming Google’s responsibility in this act is the fact that the banner consisted of 2 possibilities (the banner, following the rules prescribed by laws and regulations on the national and international level, has to include full information on cookies that are collected on the said page or browser): ‘Remind me later’ and ‘Access now’. At first glance, it seems that there aren’t any anomalies in these options. However, after clicking on either of these options on the banner, it is clear that they offer no explanation regarding the automatic setting of cookies on the user’s device. By extension, the users were not obliged to, nor could they in any way know, what is on their device, and how it got there.

The last argument of the French authorities was the fact that the option to deactivate the ad-tracking cookies did exist by simply clicking the button ‘Consult now’, however, as soon as the user would click there, the ad-tracking cookies did not disappear, but remained active and were collecting information, even though the user had decided to deactivate them.

Based on these arguments, and the final conclusion, Google LLC was fined 60 million euros, and Google Ireland 40 million euros, because they have wrongfully collected the user’s data. This kind of decision can serve as a precaution, as an obvious example to all those who have thought about collecting a bit of data ‘in secret’.

Serbia does not lag with regulating this issue at the European and global level. The Law on Personal Data Protection prescribes the possibility of imposing a fine , from 50,000 dinars, up to 2 million dinars for a single violation and damage to the user’s rights.

One of the things that have a great consequence for those in the e-commerce business is their reputation. Besides paying a huge fine, a company can lose its clients, due to the unlawful collection of their personal data.

Don’t End up Like Google

As much as you believe reading the cookie policy is boring and insignificant, cookies collect, process, and store numerous important data, so they should not be disregarded. Not knowing the rules is not an excuse, and it cannot save you from the responsibility in case you violate those rules. When something like that happens, both sides are the losing sides in the virtual world. The users, who trusted the company, lose certain parts of their privacy and personal data, while e-commerce traders are obliged to pay huge fines, and lose their customers.

It would be useful if each individual on the internet, as well as internet providers, and end-users, familiarize themselves with the existing rules.

Bear in mind, cookies might not always end up being sweet – they might even leave a bitter taste which will not be easily forgotten.

Similar Articles

1 min read

Zunic Law


Latest Articles

Ready to get started?

If you are not sure about what the first step should be, schedule consultations with one of our experts.





Not Just Another Newsletter

Forget boring legal analysis and theory. Receive timely updates,
news and reminders that can actually help your business.