What Have Google Done?
The US company has been fined by the French data protection watchdog CNIL for “lack of transparency, inadequate information and lack of valid consent” in relation to their ad personalisation for users.
It’s one of the larger regulatory enforcement actions since GDPR came into effect last May.
Even though Google is a US company, they must comply with the EU law because they have millions of users in Europe.
If you’re unfamiliar with GDPR, here’s what you need to know:
- -Getting Started with GDPR
- – Are You Ready for GDPR?
- – 6 Steps to Prepare Your Business for GDPR
- – What Does GDPR Mean for Marketing?
- – How ‘Legitimate Interests’ Changes Marketing
CNIL observed two different types of breaches of GDPR:
1. A Violation Of The Obligations Of Transparency And Information:
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”
2. A Violation Of The Obligation To Have A Legal Basis For Ads Personalization Processing:
CNIL believe that the consent is not validly obtained for two reasons.
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. “
You can read the full CNIL statement here.
In a statement, Google commented, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”