10 Companies Fined for Non-Compliant Cookie Banners

Cookie consent fines happen when businesses fail to comply with state and federal data privacy laws. Having a legally-compliant cookie banner is a business requirement in Europe, North America, and other jurisdictions. So if your business isn’t compliant, it runs the risk of GDPR cookie fines.

In this post, we dive into the biggest cookie banner fines and talk about when companies were fined for not following the law. Later we also discuss major cookie laws and how you should stay compliant. 

10 Cookie Banner Fines & Violations

It should be noted that the biggest and most frequent cookie violation fines tend to get handed down by the EU and its member states. However, other nations do take legal action for egregious offenders. 

1. Google — $160 Million

In January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”)  fined Google $162 million USD for the lack of ease at which users could refuse cookies for Google.fr. 

The regulator said that while Google provided a virtual button to allow the immediate acceptance for cookies, there was no equivalent to refuse them as easily.

2. Microsoft - $65 Million

In December 2022, Microsoft Ireland received a €60 million fine from France’s National Commission for Technology and Freedoms (CNIL) for violating privacy regulations. The penalty targeted the Bing search engine, citing the placement of advertising cookies on users’ computers without securing valid consent and failing to provide an equally straightforward option to refuse cookies as to accept them. The ruling also noted that Microsoft derived indirect revenue from the data collected through these practices.

3. Facebook — $64.5  Million

In 2022, Facebook was fined by CNIL, the French data protection regulatory agency.  This fine was part of the same ruling that implicated Google, with the regulator stating that Facebook made it difficult for French citizens to refuse cookies and, therefore, was in violation of GDPR. 

4. Amazon — $38 Million

On December 7, 2020, the French data protection authority, CNIL, fined Amazon Europe €35 million ($38 million) for placing advertising cookies on users’ computers without obtaining consent or providing sufficient information on the data collection practices.

CNIL judged Amazon to have:

• Automatically placed numerous advertising cookies on users’ computers without consent, which was not essential for the service. This failure to obtain consent violated the obligation to seek user consent before depositing cookies.
• The lack of a clear banner displayed on the Amazon.fr site informing users about the cookies. 

5. Yahoo - $10.7 Million

In December 2023, Yahoo received a €10 million fine from CNIL for major GDPR breaches. Despite users rejecting cookies, Yahoo placed about 20 tracking cookies for targeted ads. Additionally, Yahoo Mail users who withdrew consent were told they’d lose access to services, pressuring them to click accept instead. Both actions violated requirements for clear, freely given consent.

6. Apple — $8.5 Million

In late 2022, tech innovator Apple, Inc also had a run-in with France’s CNIL. This time, the regulatory group referenced the company’s failure to secure consent for local French iPhone users before placing ad identifiers on the devices to scrape data. It was the personalized ads that the company delivered via the Apple App Store that raised the alarm. The €8 million fine might be peanuts compared to overall revenue and profit, but it’s a black eye for a company that touts privacy protection for its customer base. 

7. TikTok — $5.4 Million

TikTok is another social titan that has consistently raised red flags over data collection and privacy concerns. Once again, France’s CNIL dropped the hammer, citing concerns with the video clip-sharing site’s cookie-consent flow. In 2023, the agency announced a €5 million fine. It should be noted that TikTok did work to resolve the issue, hence the much smaller fee compared to other social platforms. 

8. Carrefour — $3.23 million

In November 2020, the French regulator CNIL fined Carrefour, one of the biggest retailers in Europe, a total of €3 million ($3.23 million) following inspections of their websites Carrefour France and Carrefour Banque. 

The regulator determined that both the carrefour.fr and carrefour-banque.fr websites placed cookies on users’ devices without obtaining their consent. Some of these cookies were used for advertising purposes, meaning they required explicit consent before storage under GDPR laws.

Carrefour was also fined for other GDPR violations, such as excessive data retention, unjustified identity verification, failure to respond to DSAR requests, and more.

Consequently, Carrefour France was fined €2.25 million ($2.42 million), and Carrefour Banque received a penalty of €800,000 ($861,868). 

9. Sephora — $1.2 Million

Not long after California’s CCPA went into effect, the Attorney General for the state was quickly catching businesses that failed to meet privacy requirements. Most businesses that were served with warnings worked quickly to remedy their errors within the given 30-day window following receipt. Unfortunately, beauty behemoth Sephora didn’t. In 2022 the multinational giant settled with the state of California for $1.2 million for failing to disclose that consumer data was being sold to third parties and not offering a legitimate opt-out option for California residents. 

This is the first example of a CCPA cookie fine.

10. Twitter – $32,320

Avoid Cookie Fines with Enzuzo

There’s no excuse to knowingly run afoul of privacy and cookie laws. However, since it’s impossible to dictate where your website traffic originates, it can be difficult to ensure that your business is compliant with all the various privacy and data usage regulations that 137 countries have enacted. 

Enzuzo is a software-as-a-service platform that helps you maintain compliance not only with how you use data, but in properly notifying visitors of what information is collected, and how they can access, limit, or refuse your cookies. Everything from ensuring that cookie policies are clearly stated, to easily visible control buttons are options that business owners can manage. 

Meanwhile, the service integrates easily with major e-commerce platforms like Shopify, SquareSpace, WooCommerce, and more. 

Book a Free Demo to Learn how Enzuzo Can Assist All Cookie Consent and Compliance Needs Across Europe, North America, and more

Key Cookie Laws You Should Know

Cookie is a term that refers to how websites collect, store, and share personally identifiable information from visitors. These details can range from internet devices, and browsing habits to more discreet information like names, addresses, or even banking details. This information is often used to customize a visitor’s browsing experience. A good example would be using cookies to show a visitor content that relates to what was previously viewed — such as if you coordinate with an ad deployment network to serve advertisements to visitors. 

Cookie laws are designed to give consumers more control over what data is collected and who it is shared with. Typically these laws require websites to give consumers the ability to request for data to be deleted or control exactly how much information can be scraped or shared from a web session. 

While several laws exist around the world, the following are some of the more well-known directives. Remember, even if your business is not located in the jurisdiction where a cookie law is drafted, you’re still liable if you violate regulations for how data is collected from visitors who are located in that country or state. 

European Union E-Privacy Directive

Also known as the Cookie Directive, this 2011 law would serve as the framework for the later released General Data Protection Regulation (GDPR) which specifically outlined how data could be collected, the rights of European Union citizens to control that information, and associated violation fines. The GDPR regulates in tandem with the Cookie Directive to create a very broad term for personal data that applies to any information that could be associated with an identifiable person.

The California Privacy Rights Act (CPRA)

Cookie management in the U.S. is generally regulated by the Federal Trade Commission’s FTC Act, Section 5. However, individual state regulations can leave businesses facing non-compliance allegations if they’re not aware of nuanced requirements across the 50 states. In the U.S. California leads the way in policing cookie use. 

The CPRA is a 2023 update that piggybacks off of the California Consumer Privacy Act (CCPA) of 2018. Simply put, you need to allow California residents to opt out of data collection and/or the sale and sharing of their data with your “trusted third parties.” This especially impacts businesses that rely on activity-tracking cookies. Note there are similar cookie laws in Virginia (Virginia Consumer Data Protection Act) and Connecticut (Connecticut Data Privacy Act).

Lei Geral de Proteção de Dados Pessoais (LGPD)

Known simply as LGPD, this is Brazil’s version of the EU’s GDPR. Along with outlining what rights a Brazilian citizen has over data collection, it also lists the associated fines for flouting the laws. Similarly, South Korea has the Personal Information Protection Act (PIPA) that dates back to 2011 although it doesn’t explicitly mention cookies. Additionally, many nations including China and Japan have similar privacy act laws that don’t mention cookies by name but can be considered applicable.]

Looking for inspiration on how to create a cookie banner of your own? Visit our list of the best cookie banner examples and replicate the theme for your own site.