10 Biggest Cookie Consent Fines and How to Avoid Them

Cookie banners ensure visitors are informed about how cookies are used on your site and allow them to manage their cookie preferences accordingly.

Sadly, many online business owners underestimate the importance of obtaining proper consent from users, which can lead to hefty cookie consent fines.

Non-compliance not only strains your wallet but also damages your reputation. Below, we’ll look at 10 real-life examples where companies faced significant fines due to cookie banner missteps.

We’ll talk about the specific errors made and offer actionable insights on how to avoid similar pitfalls so you can make sure your business stays compliant.

  • Get user consent for cookies. Don’t place cookies on users’ devices without their permission, especially for advertising.
  • Your website needs a user-friendly cookie banner that explains what cookies you use and why. It should also be easy for users to accept or reject cookies.
  • Don’t bury the “reject” option. Users should have a clear and simple way to refuse cookies if they choose.

10 Companies With The Biggest Cookie Consent Fines

The companies listed below not only faced violations regarding cookie use but also received some of the biggest GDPR fines to date.

These examples serve as a powerful reminder of the critical need for compliance and the severe consequences of oversight.

Here’s where they went wrong and how such mistakes can be avoided in your business operations:

1. Google  — $160.9 Million

In its Privacy Policy, you can see Google’s promise not only to safeguard their user’s information but also give them control over their data:

Google's privacy policy with icons of various applications on top.

So what has gone wrong? In 2021, Google landed a hefty fine of €150 million from the CNIL, the French Data Protection Authority. This penalty stemmed from violations of the ePrivacy Directive, a regulation similar to GDPR but specifically focused on electronic privacy.

The issue? Google’s cookie banner didn’t give users a fair choice.

While it offered a clear button to accept cookies, rejecting them wasn’t as straightforward. Instead, users had to navigate through several steps to reject the use of cookies, making it much harder than simply accepting.

This imbalance goes against the core principle of cookie consent laws, where users should be able to freely choose whether to accept cookies or reject them altogether.

2. Microsoft — $65 million

In a significant enforcement action, Microsoft was hit with a €60 million ($65 million) fine by the French Data Protection Authority (CNIL). The fine was levied due to non-compliance practices observed with Microsoft’s Bing search engine.

Similar to Google’s case, accepting cookies was a simple one-click affair, while opting out required navigating through confusing steps. This imbalance violated Article 82 of the French Data Protection Act.

CNIL fined Microsoft, emphasizing that the company’s approach did not provide clear and straightforward options for users to refuse cookies for advertising purposes.

Furthermore, CNIL also discovered that another type of cookie aimed at combating ad fraud was automatically placed on user devices without transparent disclosure or obtaining necessary consent when they visited Bing.

Although this cookie wasn’t used for advertising, its installation still required prior user approval under French regulations.

Ensure cookie consent processes are clear and equitable. Always secure user approval for all cookie types, including non-advertising ones.

3. Facebook — $64.3 Million

Facebook wasn’t immune to the cookie banner crackdown either. In December 2021, the CNIL hit them with a €60 million fine for similar reasons as Google and Microsoft.

Basically, the fines imposed were because Facebook failed to meet the “equivalency” requirement of France’s national data protection law. This rule mandates that the process to opt out of cookie consent should be as simple as opting in.

Their findings showed that while it took users just one click to accept cookies through a pop-up banner, opting out required navigating through several clicks, complicating the refusal process.

The CNIL received complaints about this very issue. To date, this case serves as a reminder that user consent needs to be freely given, not pressured through design choices.

This case underlines the broader context of the EU’s firm stance on privacy violations. For example, in May of the previous year, the EU imposed its largest GDPR fine ever, €1.2 billion, on Meta for non-compliance over data transfers from the EU to the US.

That said, you can find a list of the cookie types Facebook uses, their purposes, and how long they stay in your device on Meta’s Privacy Center:

A pop-up window listing Facebook's commonly used cookies, their descriptions, and their lifespans on a table.

4. Amazon — $38 million

On December 7, 2020, Amazon was hit with a significant penalty of 35 million euros ($38 million) by the French Data Protection Authority (CNIL).

The fine was issued based on violations concerning the placement of cookies without consent on the computers of users visiting the “Amazon.fr” website. This action underscored a major non-compliance with privacy regulations.

The investigation revealed that upon visiting the Amazon.fr site, numerous cookies aimed at advertising were automatically placed on users’ computers without any prior action or consent from them.

Since these were non-essential cookies, CNIL determined that Amazon Europe Core had failed to fulfill the requirement to secure user consent before the cookie placement.

Furthermore, the regulatory authority criticized the cookie banner for not providing clear and prior information about the purpose of the cookies and the options available to refuse them. Here’s what you’ll find in Amazon’s Cookie Notice:

Amazon's cookie notice on a white background.

Additionally, CNIL highlighted a severe lapse where users redirected to Amazon.fr from external advertisements encountered the same cookie placement without any informative banner at all.

This wasn’t Amazon’s only brush with cookie consent fines in Europe, either. In 2021, the Luxembourg National Commission for Data Protection (CNDP) issued a whopping €746 million ($888 million) fine after a complaint filed by a privacy rights group.

5. Yahoo — $10.7 Million

Last December 2023, a €10 million GDPR fine was issued to Yahoo from the French data protection authority, CNIL. This case shows that even established companies can fall foul of cookie compliance regulations.

The CNIL investigation found Yahoo violated the GDPR in two key ways. First, visitors to Yahoo.com who specifically clicked to reject cookies were surprised to find that nearly 20 tracking cookies were still placed on their devices!

These cookies, though small in size, were used to collect data for targeted advertising. This essentially bypassed user choice and went against the core principle of cookie consent: users have the right to refuse tracking cookies altogether.

The problems didn’t stop there. CNIL also found that Yahoo Mail users who tried to withdraw their consent for cookies were met with a misleading message.

Yahoo informed them that doing so would prevent them from accessing their email and other Yahoo services entirely. This creates an unfair pressure tactic, forcing users into accepting cookies just to access their accounts. This kind of pressure goes against the idea of freely given consent.

PRO TIP: To comply with cookie laws, always honor user choices to reject cookies and avoid using access restrictions as leverage for consent.

6. Apple — $8.5 Million

Even tech giants like Apple aren’t immune to cookie law slip-ups. In December 2022, the French Data Protection Authority (CNIL) hit Apple with an €8 million fine for violating French regulations on targeted advertising and cookie use.

This fine stemmed from a complaint that led CNIL to conduct several investigations between 2021 and 2022 into Apple’s practices on older versions of its iPhone operating system.

The probe revealed that Apple was automatically collecting user identifiers from those visiting the App Store on iPhones running iOS version 14.6. This data was used primarily to personalize ads within the App Store.

Crucially, Apple did this without first obtaining users’ consent. This was a clear violation of the French Data Protection Act, which stipulates that such data collection is not strictly necessary for providing the App Store service and therefore requires consent.

Further complicating matters, Apple’s settings for ad personalization were found to be pre-checked by default, and users faced a complicated process to deactivate this setting.

This setup made it excessively difficult for users to provide or withdraw consent freely, violating essential principles of the cookie law regarding user control and consent simplicity.

7. TikTok — $5.4 million

Joining the club of companies fined for violating cookie consent rules is TikTok. In December 2022, the CNIL hit them with a €5.4 million fine for two main issues.

Firstly, during an inspection in June 2021, CNIL discovered that while TikTok did provide a simple, one-click option for accepting cookies, refusing them required navigating through several steps.

This disparity, CNIL argued, essentially discouraged users from rejecting cookies, subtly nudging them towards the easier option of accepting all cookies. This approach was deemed to contravene the principles of fair and transparent cookie management.

Secondly, the information provided to users about the cookies, both in the initial banner and in the subsequent choice interface, was found to be insufficiently detailed.

This lack of clarity failed to meet the standards required for informed consent, as users were not properly educated on how their data would be used.

However, after checking out TikTok just now, I’d say its Cookies Policy is long overdue for an update:

TikTok's cookie policy screenshot

A balanced and clear choice between accepting and rejecting cookies is essential for compliance. Better yet, practice transparency in cookie consent processes.

8. Carrefour — $3.23 million

Carrefour wasn’t spared either, landing a €3.05 million fine from the CNIL in November 2020. This penalty stemmed from violations of both the GDPR and French cookie law.

The CNIL investigation revealed several areas where Carrefour France fell short of GDPR compliance. These included:

  • Data Subject Rights: Carrefour wasn’t properly handling requests from individuals to access, erase, or opt out of marketing communications.
  • Transparency Issues: Carrefour failed to provide users with clear and easily accessible information about how their data was being processed.
  • Data Security: Carrefour didn’t have adequate safeguards in place to protect user data.

Moreover, CNIL’s inspections revealed that Carrefour France and Carrefour Banque also violated GDPR guidelines by automatically setting cookies on users’ devices without consent when they visited the Carrefour.fr homepage.

Despite these significant breaches, the CNIL noted that both companies made considerable efforts during the proceedings to rectify their non-compliance, which was reflected in the absence of additional sanctions like injunctions to halt data processing activities.

9. Sephora — $1.2 million

Sephora landed in hot water with California’s Attorney General in August 2022. The issue? Violations of the California Consumer Privacy Act (CCPA). This settlement required Sephora to pay $1.2 million and implement stricter data privacy practices.

The investigation revealed that Sephora failed to disclose to customers that it was selling their personal information to third parties. This data could include browsing habits, product interests, and even location information.

These third parties then use this data to build consumer profiles for targeted advertising. Under the CCPA, Sephora was required to be transparent about this data sale and give users the option to opt out.

Adding to the problem, Sephora wasn’t processing user requests to opt out of this data sale. The CCPA allows users to opt-out through a browser setting called Global Privacy Control (GPC). Sephora was simply ignoring these opt-out requests.

PRO TIP: Always disclose if user data is being sold and ensure opt-out mechanisms like GPC are honored. Transparency builds trust.

10. Twitter – $32,320

In June 2020, Twitter (now known as X) got hit with a €30,000 fine by the Spanish Data Protection Agency (AEPD) for fumbling cookie consent on its website. The trouble began with Twitter’s cookie banner.

The AEPD investigation found two main problems. First, Twitter was automatically placing cookies that weren’t essential for the core functionality of the platform on users’ devices just by visiting the website.

These cookies are likely used for advertising or analytics, but they don’t need to be placed before users have a chance to consent.

Second, Twitter’s cookie banner didn’t give users a clear or simple way to reject cookies. The banner displayed a message that said, “If you continue browsing, you accept the use of cookies.”

There wasn’t a straightforward “reject” option or a way to adjust cookie settings directly on the banner. The only way to manage cookies was through a separate link hidden at the bottom of the webpage, which also lacked a simple way to reject them entirely.

In its Help Center, X now emphasizes its commitment to giving users meaningful privacy control. Here’s what it says:

X's privacy policy on a white background.

What Are the GDPR Cookie Fines for Non-Compliance?

GDPR fines for non-compliance can be severe, reaching up to €20 million or 4% of a company’s global annual turnover, whichever is higher. This applies to a wide range of GDPR non-compliance issues, including cookie consent violations.

That said, not all cookies are treated the same under GDPR. Essential cookies, required for a website to function properly, don’t necessarily require user consent.

On the other hand, non-essential cookies used for advertising or analytics require explicit user consent before being placed on a user’s device. Fines are more likely for violations involving non-essential cookies.

Moreover, maximum fines are rarely imposed. Data protection authorities consider factors like the nature of the violation, cooperation with the investigation, and previous offenses when determining the final penalty.

Here’s a graph showing the highest fines ever issued by the GDPR:

Bar graph showing the highest fines issued by the GDPR in million euros.

Secure explicit consent for non-essential cookies to avoid hefty fines. This is how you’ll build trust with your site visitors.

How to Avoid Cookie Consent Fines

The examples we’ve explored show that getting cookie consent right is crucial. But how can you avoid landing on the wrong side of data protection regulations? Here are some key tips:

Obtain Valid Consent

To avoid fines, do not place cookies on users’ devices without their consent. Consent must be freely given, specific, informed, and unambiguous.

What does it mean to obtain consent? Basically, users should be able to actively opt-in to consent to cookies, rather than using pre-ticked boxes or assuming consent from continued browsing.

Provide Comprehensive Information About the Cookies You Use

Transparency is key. You must provide clear and comprehensive information about the cookies being used, especially advertising cookies. This includes what cookie types are set, their purpose, and how they impact users’ privacy.

Aside from that, it’s important to make sure that this information is easily accessible and understandable, helping users make informed decisions.

Ensure Easy Refusal of Non-Essential Cookies

Just as users should be able to easily consent to cookies, they should also be able to refuse them.

Ensuring that users can refuse cookies without navigating through multiple screens or dealing with convoluted processes is essential for compliance with entities like the Italian Data Protection Authority.

Implement a GDPR Compliant Cookie Policy

Utilize a GDPR-compliant cookie policy that covers all legal bases. Our free cookie policy generator can help you draft a policy that meets regulatory requirements, providing peace of mind and legal safety.

Use Customizable Cookie Consent Tools

For example, our cookie consent banner generator allows you to create a consent banner that fits the specific needs of your website and the nuances of the required consent for different cookie types.

This tool ensures that your approach to consent is flexible and compliant with current regulations.

PRO TIP: Data privacy regulations are constantly evolving. Make it a point to stay updated on the latest GDPR and cookie consent requirements.

Frequently Asked Questions

Why are GDPR cookie fines issued?

Cookie fines are issued when companies fail to comply with the GDPR requirements for user consent. Non-compliance leads to severe penalties.

What is the typical amount for a cookie banner fine?

Cookie banner fines for UK GDPR violations vary widely, typically ranging from thousands to millions of pounds, depending on severity.

Who enforces cookie banner fines?

Cookie banner fines are enforced by national data protection authorities. Examples include the UK’s ICO, France’s CNIL, and Spain’s AEPD.

What are the common reasons for receiving a cookie banner fine?

Common reasons for a cookie banner fine include lacking clear consent mechanisms and insufficient information about cookie use.

How can I make sure my website is cookie-compliant?

Ensure your website offers clear options to accept or reject cookies and provides detailed information about their use. Regularly update your cookie policy to comply with legal standards.

Gabriela Dascalescu
Gabriela is a privacy expert and data protection officer who focuses on translating legalese. She dedicates to staying updated on tech and digital law developments to help clients get compliant with privacy regulations and legal tech requirements. She provides clear and concise legal advice, considering business objectives and interdisciplinary expertise. She integrates knowledge from various legal fields to offer comprehensive solutions in today's interconnected world.