The French Data Protection Authority (“CNIL”) imposed a fine of 60 million Euro against Google LLC and 40 million Euro against Google Ireland Limited on 7 December 2020.
CNIL fined Google LLC and Google Ireland Limited companies for a total of 100 million Euro for having placed cookies on the computers of Google search engine users without their prior consent and without providing adequate information. The relevant fines were imposed for the following reasons: (i) The obligation to obtain prior consent is violated due to the fact that advertising cookies are automatically placed on users’ computers without any action when users visit the Google.fr website; (ii) the obligation to provide adequate information was violated on the grounds that the information banner on the website did not provide any information regarding the aforementioned advertising cookies; (iii) the “opposition” mechanism is partially flawed because even if the user disabled the ad personalization feature, one of the advertising cookies was not disabled and continued to collect data about the server to which it was connected.
There is a specific regulation on cookies in the European Union named the Privacy and Electronic Communications Directive (ePrivacy Directive). There is no specific regulation on the use of cookies in Turkey. However, the data processed through using cookies are considered personal data within the scope of the Law on Personal Data Protection. For example, the Turkish Constitutional Court has stated in more than one decision that IP addresses are considered as personal data1. It is known that the Turkish Data Protection Authority follows the decisions of the European data protection authorities.
Therefore, in order to avoid similar sanctions, users whose data are processed through cookies must be provided with adequate information and their prior explicit consent must be obtained before advertising/marketing cookies are placed on their devices.