Costly cookies: examples of cookie consent fines on businesses 

Chances are that you have interacted with a cookie consent solution, which is a popup that requests you to consent to the placement of cookies on your device. Cookies are small pieces of code that are placed on a user’s device that track the user for a variety of purposes such as security, authentication, advertising and analytics. In fact, multiple privacy laws require websites to have a cookie consent banner that provides individuals with a choice regarding cookies. If these privacy laws apply to you and your website collects cookies, then you will need to provide a cookie consent banner to your website’s visitors as well. You should be aware of the fact that failure to do so can lead to some heavy fines.

In this article, we will discuss some examples of cookie consent fines that have been issued to companies (both large and small) so that you can avoid the types of practices that have landed some companies in privacy hot water and hopefully avoid costly fines as well. 

Cookie consent fines can usually be broken down into the following categories: 

1. Failing to provide a cookie consent banner; 
2. Placing cookies on a user’s device without their consent; 
3. Failing to obtain proper consent; 
4. Not providing individuals with the right to withdraw their consent; and 
5. Failure to provide individuals with appropriate information regarding cookies. 

Example 1: Yahoo fined €10 million for cookie consent violations 

Our first example of cookie consent fines comes from the French Data Protection Authority, CNIL. CNIL fined Yahoo €10 million for the following reasons: 

1. CNIL found that approximately 20 advertising cookies were placed on the user’s device without consent. You must obtain express consent for the placement of advertising cookies on a user’s device; and 
2. CNIL found that Yahoo did not provide users with the ability to freely withdraw their consent. If a user wished to withdraw their consent to cookies, they were presented with a message stating that they would have to stop using the Yahoo Mail service. This practice violates the principle that refusal to consent or withdrawal of consent should not harm the user. 

Example 2: Roularta Press Group fined €50,000 for cookie consent violations 

Our second example of cookie consent fines comes from the Belgian Data Protection Authority. The DPA fined the company Roularta, which is a press group that manages two news websites for the following reasons: 

1. Around 60 cookies were placed by the websites on the user’s device without the prior consent of the user; 
2. The company did not provide the user with sufficient information regarding the use of cookies by their websites; and 
3. The consent for the installation of cookies was pre-checked. Since a user must take an affirmative action to show consent (by, for example, checking a box), pre-checked boxes are not sufficient to demonstrate consent. 

Example 3: Vueling fined €30,000 for not having a cookie consent banner 

In our third example, the Spanish Airline Vueling Airlines received a fine of €30,000 for failing to provide a cookie consent banner. Spain’s Data Protection Authority found that while the company did provide a Cookie Policy, which listed the cookies that they used, it failed to comply with applicable cookie laws by failing to provide a cookie consent banner where users could manage the cookies that were placed on their devices. 

Example 4: TikTok fined €5 million for deceptive cookie consent 

In our fourth example, the social media company TikTok was fined €5 million by CNIL for cookie consent banner designs that made it more difficult to refuse cookies than to accept them. CNIL found that TikTok’s cookie consent banner allowed individuals to accept cookies with one click. However, individuals who wanted to refuse all cookies had to make several clicks, making the refusal mechanism more complex and thus discouraging users from refusing cookies. In addition, CNIL found that users were not informed sufficiently of the purposes of the cookies on both the initial banner and the user interface. 

Example 5: Company fined €15,00 for cookie consent violations 

In our fifth example of cookie consent fines, the Belgian DPA fined an anonymous company €15,000 for the following reasons: 

1. The company’s Privacy Policy and Cookie Policy did not comply with GDPR and did not contain transparent information about the individual’s privacy rights; 
2. The company did not provide the legal basis for processing, the data subject rights, nor the data retention period in their Privacy Policy; 
3. The company used pre-checked boxes to obtain consent for the use of cookies and thus did not obtain the proper consent needed for the placement of cookies on the user’s device. 

Example 6: Two companies fined  €20,000 and  €30,000 for cookie consent violations 

Our sixth example of cookie consent fines comes from Croatia, which fined two gambling and betting companies €20,000 and  €30,000 for the following reasons: 

1. The companies did not provide the legal basis for processing personal data through the use of cookies; 
2. The companies did not provide information to their website users as there was no option to provide or withdraw consent separately for each type of cookie; 
3. The companies did not provide the purpose of the cookies nor the cookie storage period for each cookie placed on the user’s device. 

Example 7: Sephora fined $1.2 million for failure to provide opt-out of sales option

Our seventh example of cookie consent fines comes from California where the California Attorney General fined cosmetics company Sephora $1.2 million. The fine stems from Sephora failing to inform consumers that their personal information would be sold and failing to provide users with the ability to opt out of sales of their personal information through their cookie consent banner. 

Example 8: Microsoft fined $60 million for cookie practices 

Our eight example of cookie consent fines comes from France’s CNIL, which fined Microsoft $60 million over the cookie consent practices of the search engine Bing. CNIL found that the company’s practices made it easier to accept cookies than to refuse them, which is in violation of multiple cookie consent laws. The design of the cookie consent banner was also found to be deceptive as acceptance was collected via a very prominent button, with no such equivalent button being made available for refusal of cookies. In addition, CNIL found that certain tracking cookies were placed on the user’s device without their consent. 

As you can see from the above, multiple companies, both large and small have been fined for noncompliance with cookie consent laws. It is important that you check your cookie consent banner for the violations listed above to ensure that you are not similarly fined. If you do not currently have a cookie consent banner or if your cookie consent banner has any of the violations listed above, make sure to check out the Termageddon <> Usercentrics cookie consent solution.