Digital cookies and trackers are essential for personalising services and measuring audience behaviour, but European privacy rules (in particular the EU e‑Privacy Directive and the General Data Protection Regulation (GDPR)) require companies to obtain informed, freely given consent before setting non‑essential cookies. Supervisory authorities have repeatedly sanctioned organisations that ignore these rules or make it harder to refuse cookies. This two‑part series summarises ten notable lawsuits and enforcement actions related to cookie compliance, arranged from the lowest to the highest penalty. Below are the first five cases.
1 – Wallapop – fine of €3 000 (AEPD, Spain, 2024)
Spanish marketplace Wallapop was reported to Spain’s data protection authority (AEPD) after a user discovered that third‑party marketing cookies were still being placed even when they were expressly rejected. The AEPD determined that the site did not honour the user’s choice; Wallapop accepted responsibility and paid a reduced sanction. The final penalty was €3 000 after reduction for early payment and acknowledgment of responsibility. While the amount is small, the case illustrates that regulators will sanction non‑compliance even for minor infractions.
2 – Les Publications Condé Nast (VanityFair.fr) – fine of €750 000 (CNIL, France, 2025)
The French data protection authority CNIL investigated VanityFair.fr (published by Les Publications Condé Nast) and found that the website placed advertising cookies before obtaining consent, provided unclear information about the trackers, and offered an ineffective refusal mechanism. Because the cookie banner did not allow users to refuse cookies as easily as to accept them, and because some cookies were loaded automatically, CNIL imposed a €750 000 fine. The regulator ordered the publisher to comply with cookie rules and improve transparency.
3 – American Express Carte France – fine of €1.5 million (CNIL, France, 2025)
In December 2025, CNIL sanctioned American Express Carte France for placing advertising cookies without user consent and for continuing to read cookies after users refused or withdrew consent. The investigation found that when people signed up for an American Express card online, cookies were set before any meaningful choice was given, and rejecting cookies did not prevent further tracking. CNIL’s decision imposed a fine of €1.5 million and considered that the company ultimately cooperated and implemented corrective measures during the proceedings.
4 – Amazon Europe Core – fine of €35 million (CNIL, France, 2020)
CNIL’s 2020 decision against Amazon Europe Core concerned the automatic placement of advertising cookies on the amazon.fr website without prior consent. Investigators found that when users visited the site, cookies were stored for advertising and behavioural analysis even before they interacted with the consent banner, and that the banner did not clearly explain the purposes of the trackers or the means to refuse them. The regulator concluded that Amazon had violated Article 82 of the French Data Protection Act and imposed a €35 million fine. Amazon later updated its cookie banner and information notices.
5 – Criteo – fine of €40 million (CNIL, France, 2023)
Advertising‑technology company Criteo provides retargeting services that follow users across websites to deliver personalised ads. In June 2023, CNIL fined Criteo €40 million for multiple shortcomings. The authority found that Criteo failed to verify that partner websites had obtained user consent before processing their data and was unable to demonstrate that it had a valid legal basis for its tracking cookie. CNIL also criticised the lack of transparency in Criteo’s processing and its incomplete cooperation during the investigation. Criteo was ordered to revise its data‑processing agreements and ensure that valid consent is obtained by all partners before personal data are processed.
Conclusion of Part 1
These first five cases show that European regulators penalise both large and small organisations when they misuse cookies. Even modest fines such as Wallapop’s €3 000 demonstrate that authorities expect strict compliance, while larger penalties against companies like Amazon and Criteo highlight the seriousness of placing cookies without consent or failing to verify consent obtained by partners. In the second part of this series, we will examine the five cases with the highest penalties, including landmark fines against Google, Facebook and Shein.
Part 2 will be released tomorrow, stay tunned !