Google slapped with $56.8 million fine for GDPR consent violations
The French privacy regulator said Google did not prominently disclose required information to users or validly obtain their consent for ad targeting.
Google is now the recipient of the largest fine yet handed out under GDPR. The 50 million euro penalty ($56.8 million) was imposed because France’s data protection regulator (CNIL) said the company was not sufficiently transparent about the use of personal information and didn’t obtain specific consent for ad-targeting purposes.
Penalty comes after “day one” complaints. The fine is the result of an investigation after complaints were filed on June 1, 2018 against Google and Facebook by privacy advocacy group NOYB.eu. One of the complaint’s issues was alleged use of “forced consent,” which made access to services contingent upon agreement to terms.
According to a translation of the CNIL statement (pdf in french), Google violated GDPR by not making information about intended data uses easily accessible to consumers and not gaining consent for each use.
The CNIL statement said, “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents . . . The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.” CNIL added that the information provided to users is “not always clear nor comprehensive.”
Consent not validly obtained. The letter went on to state, “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent . . . [in addition] the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous.'” Accordingly, the french regulator found fault with the the broad consent form used by Google when an account is created. This ran afoul of GDPR because consent was not obtained for each specific data use case.
CNIL explained that the amount of the fine was “justified by the severity of the infringements.” It explained that the violations were not isolated but ongoing. The letter also implied one purpose of the fine’s size was to send a message to the market.
Why you should care. GDPR is informing the privacy discussion in this country and some of its provisions could make their way into U.S. privacy legislation and regulation. What happens in Europe could also influence politicians and lawmakers at the state level.
Though the fine is large, it’s not the most noteworthy aspect of the decision. That comes in the form of the rejection of global consent forms that recite a litany of use cases. Each intended data use will need to be highlighted for consumers, who will be required to affirmatively consent before personal data can be collected and applied to ad targeting.
By calling out individual use cases for ad targeting, and by decoupling access to services from global consent, greater numbers of Europeans will likely decline to allow major ad platforms to use their data. How this will impact ad effectiveness will have to be seen. It will affect display and retargeting much more than search. But its impact could be significant.
Google (and others) will almost certainly be compelled to start educating the European public about the benefits of personalized advertising. However in the current climate that could be a tough sell.