London - Paris

French DPA CNIL Fined Carrefour for Cookies

French DPA CNIL Fined Carrefour for Cookies

Une amende, not an almond, but a fine for cookies.

The French DPA CNIL finally enforced the law, Carrefour supermarket and Carrefour Bank fined for 2 250 000 euros and 800 000 euros.
– lack of transparency (article 13 GDPR)
– unlawful cookies (article 82 de la loi Informatique et Libertés)
– storage limitation, article 5.1.e GDPR
– lack of mention of data subjects rights, article 12 GDPR
– infringement of articles 15, 17 et 21 du RGPD et L34-5 Code des postes et des communications électroniques
– unlawful and unfair data processing, article 5 GDPR.

Here is the new Carrefour’s website cookie situation with a link to what looks to be full transparency on third parties. Remains the question of the data transfer outside the eeA, Google Analytics and Facebook Connect have been sued by NOYB NGO since the invalidation of the Privacy shield by the ECJ decision SchremsII v Facebook July 2020.

Time for the many websites with unlawful cookies to check their compliance. Consent is required before any cookies are placed, transparency and – as NOYB NGO has already filed – expect Google Analytics and Facebook Connect transferring data to the US to be infringing the GDPR.

CNIL’s decision against Carrefour France.

CNIL’s decision against Carrefour Banque

CNIL’s press release.

CNIL’s recommendations of October 1st 2020 on the use of cookies. “Cookies : solutions pour les outils de mesure d’audience

Max Schrem’s ‘Non of Your Buisness’ NOYB has filed a complaint against 101 companies

A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) – despite both companies clearly falling under US surveillance laws, such as FISA 702. Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the “Privacy Shield” a month after it was invalidated, while Facebook continues to use the “SCCs”, despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.

Nataliia Bielova PhD, a researcher at INRIA, who has done an extensive research on cookies with her colleagues, said :

CARREFOUR is also fined for Google Analytics cookies being used together with Google Ads. In our recent work, we’ve shown that on 38% of websites Google Analytics synchronizes cookies with Google Ads ( Happy to see this sanction that brings this practice to the eyes of the public! Link to our academic peer-reviewed paper:

Together with her colleagues at Inria, they have designed a Massive Open Online Course (MOOC) entitled “Protection de la vie privée dans le monde numérique”. From 2018 till May 2020, the MOOC has been open for 4 sessions and attracted in total over 43,000 French-speaking participants from all over the world. Link to the latest session:


Leave a Reply