What Have Google Done?
Google has been fined £44 million for breaching the EU’s GDPR.
The US company has been fined by the French data protection watchdog CNIL for “lack of transparency, inadequate information and lack of valid consent” in relation to their ad personalisation for users.
It’s one of the larger regulatory enforcement actions since GDPR came into effect last May.
Even though Google is a US company, they must comply with the EU law because they have millions of users in Europe.
If you’re unfamiliar with GDPR, here’s what you need to know:
- -Getting Started with GDPR
- – Are You Ready for GDPR?
- – 6 Steps to Prepare Your Business for GDPR
- – What Does GDPR Mean for Marketing?
- – How ‘Legitimate Interests’ Changes Marketing
CNIL observed two different types of breaches of GDPR:
1. A Violation Of The Obligations Of Transparency And Information:
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”
2. A Violation Of The Obligation To Have A Legal Basis For Ads Personalization Processing:
CNIL believe that the consent is not validly obtained for two reasons.
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. “
“Before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”
You can read the full CNIL statement here.
In a statement, Google commented, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”