Table of Contents
Cookie consent fines happen when businesses fail to comply with state and federal data privacy laws. Having a legally-compliant cookie banner is a business requirement in Europe, North America, and other jurisdictions. So if your business isn’t compliant, it runs the risk of GDPR cookie fines.
In this post, we discuss key cookie laws you should be aware of. Then we dive into 7 cookie banner fines and talk about when companies were fined for not following the law.
In another post, we also discuss the best Cookie banner examples. This resource will help you understand how some of the biggest firms create legally-compliant cookie banners and how you can reverse engineer those examples for your own store.
Key Cookie Laws You Should Know
Cookie is a term that refers to how websites collect, store, and share personally identifiable information from visitors. These details can range from internet devices, and browsing habits to more discreet information like names, addresses, or even banking details. This information is often used to customize a visitor’s browsing experience. A good example would be using cookies to show a visitor content that relates to what was previously viewed — such as if you coordinate with an ad deployment network to serve advertisements to visitors.
Cookie laws are designed to give consumers more control over what data is collected and who it is shared with. Typically these laws require websites to give consumers the ability to request for data to be deleted or control exactly how much information can be scraped or shared from a web session.
While several laws exist around the world, the following are some of the more well-known directives. Remember, even if your business is not located in the jurisdiction where a cookie law is drafted, you’re still liable if you violate regulations for how data is collected from visitors who are located in that country or state.
European Union E-Privacy Directive
Also known as the Cookie Directive, this 2011 law would serve as the framework for the later released General Data Protection Regulation (GDPR) which specifically outlined how data could be collected, the rights of European Union citizens to control that information, and associated violation fines. The GDPR regulates in tandem with the Cookie Directive to create a very broad term for personal data that applies to any information that could be associated with an identifiable person.
The California Privacy Rights Act (CPRA)
Cookie management in the U.S. is generally regulated by the Federal Trade Commission’s FTC Act, Section 5. However, individual state regulations can leave businesses facing non-compliance allegations if they’re not aware of nuanced requirements across the 50 states. In the U.S. California leads the way in policing cookie use.
The CPRA is a 2023 update that piggybacks off of the California Consumer Privacy Act (CCPA) of 2018. Simply put, you need to allow California residents to opt out of data collection and/or the sale and sharing of their data with your “trusted third parties.” This especially impacts businesses that rely on activity-tracking cookies. Note there are similar cookie laws in Virginia (Virginia Consumer Data Protection Act) and Connecticut (Connecticut Data Privacy Act).
Lei Geral de Proteção de Dados Pessoais
Known simply as LGPD, this is Brazil’s version of the EU’s GDPR. Along with outlining what rights a Brazilian citizen has over data collection, it also lists the associated fines for flouting the laws. Similarly, South Korea has the Personal Information Protection Act (PIPA) that dates back to 2011 although it doesn’t explicitly mention cookies. Additionally, many nations including China and Japan have similar privacy act laws that don’t mention cookies by name but can be considered applicable.
7 Cookie Banner Fines & Violations
It should be noted that the biggest and most frequent cookie violation fines tend to get handed down by the EU and its member states. However, other nations do take legal action for egregious offenders.
Facebook — €60 Million
When it comes to privacy, Facebook — or Meta these days — is no stranger to controversy. The brand has found itself in hot water often since it expanded beyond college campuses in 2006. In 2022, Facebook faced fines from the French data protection regulatory agency CNIL.
The social giant was forced to Incidentally, Google also found itself on the hot seat for this same infraction. During the same month as Facebook’s comeuppance, Google was fined twice for €100 million and €150 million.
Google Cookie Fines — €150 Million, €100 Million, & $50 Million
Google has had three different fines for violations of cookie compliance laws. In January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine initially levied on Google on March 2020.
And lastly, Google had to pay roughly $50 million to South Korea’s Personal Information Protection Commission (PIPC) for violating PIPA. In particular, the PIPC noted that neither firm secured proper consent before collecting data from users.
Apple — €8 Million
In late 2022, tech innovator Apple, Inc also had a run-in with France’s CNIL. This time, the regulatory group referenced the company’s failure to secure consent for local French iPhone users before placing ad identifiers on the devices to scrape data. It was the personalized ads that the company delivered via the Apple App Store that raised the alarm. The €8 million fine might be peanuts compared to overall revenue and profit, but it’s a black eye for a company that touts privacy protection for its customer base.
TikTok Cookie Fine — €5 Million
TikTok is another social titan that has consistently raised red flags over data collection and privacy concerns. Once again, France’s CNIL dropped the hammer, citing concerns with the video clip-sharing site’s cookie-consent flow. In 2023, the agency announced a €5 million fine. It should be noted that TikTok did work to resolve the issue, hence the much smaller fee compared to other social platforms.
Sephora — $1.2 Million
Not long after California’s CCPA went into effect, the Attorney General for the state was quickly catching businesses that failed to meet privacy requirements. Most businesses that were served with warnings worked quickly to remedy their errors within the given 30-day window following receipt. Unfortunately, beauty behemoth Sephora didn’t. In 2022 the multinational giant settled with the state of California for $1.2 million for failing to disclose that consumer data was being sold to third parties and not offering a legitimate opt-out option for California residents.
This is the first example of a CCPA cookie fine.
Avoid Cookie Fines with Enzuzo
There’s no excuse to knowingly run afoul of privacy and cookie laws. However, since it’s impossible to dictate where your website traffic originates, it can be difficult to ensure that your business is compliant with all the various privacy and data usage regulations that 137 countries have enacted.
Enzuzo is a software-as-a-service platform that helps you maintain compliance not only with how you use data, but in properly notifying visitors of what information is collected, and how they can access, limit, or refuse your cookies. Everything from ensuring that cookie policies are clearly stated, to easily visible control buttons are options that business owners can manage.
Meanwhile, the service integrates easily with major e-commerce platforms like Shopify, SquareSpace, WooCommerce, and more. Whether you only expect to receive web traffic from your sleepy state, or you are planning a global rollout, you need Enzuzo to keep you compliant no matter who visits your website.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.