Google fined $57m by French regulator for breaching GDPR
French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the General Data Protection Regulation.
The regulator hit Google on two points: for making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
CNIL has decided that essential information such as data processing purposes, the data storage periods or the categories of personal data used for sending personalized ads are “excessively disseminated” across several documents. This means users can only view the details after clicking through several pages.
The fine is unlikely to cause tremors at Google, whose parent company Alphabet produced $33.6 billion in revenue in the last quarter it reported. Still, it is the first substantial financial penalty to hit a major company for breaching GDPR, and is the first financial penalty issued by CNIL. The only other financial penalty has been issued in Germany against an unnamed social media company.
So far it is CNIL that has been by far the strictest of the DPAs when it comes to warning companies, having scrutinized several mobile location vendors already.
The action could signal what regulators will look for in taking action when many companies are likely in breach of the letter of the regulation. There are several examples of catch-all consent features currently being used. Previously publisher sources have expressed doubt in the authenticity of their consent opt-in rates because they’re counting things like user movement on the page as consent, or users clicking through on articles.
“This historic first fine should serve as a wake-up call to publishers and tech companies alike that GDPR is real and it is here,” said Matt O’Neill, general manager at The Media Trust. “It is crucial that now, more than ever before, media owners have a clear picture of everyone dropping code on their sites and on their users’ devices. The market has been waiting for this moment.”
Under GDPR, regulators want to be satisfied that users are informed why they need to give consent before deciding whether to. That means an individual has to make a clear affirmative action to show they’re giving consent, classed as “unambiguous” under GDPR, and which means no pre-ticked boxes. Currently, Google’s version is a pre-ticked box and for multiple operating purposes, according to CNIL.
The final point is that Google has bundled its services and asked users to agree to give consent for all. The regulator has stressed that under GDPR consent must be given for each purpose the company plans to use the data for, so has said this doesn’t meet the criteria of “specific” consent required.
“People expect high standards of transparency and control from us,” said a Google spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. “We’re studying the decision to determine our next steps.”
Google has been under a steady stream of fire from European regulators for a variety of reasons ranging from antitrust competition to copyright infringement for years. The fine may be pocket change for the company, but it marks the largest fine to be dished out to a company for GDPR to date. Eyes will now be on Facebook, which has also had similar fines levied against it by privacy activists. So far, Facebook has been issued a higher fine by the U.K. regulator ICO for its part in the Cambridge Analytica data breach, but the timing of the fine meant it fell under the old data protection law and was, therefore, a smaller fine, albeit to the tune of £500,000 ($661,000).
Typically, data protection authorities take the lead on companies which have their headquarters within the same country. Google’s European headquarters is in Ireland, which makes the Irish DPA Google’s lead GDPR investigator. However, CNIL maintained it was within its rights to investigate due to the time the complaints were logged last June.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” read the CNIL statement.
Others have been heartened by the result. “For nearly a year, Google has been attempting to undermine the GDPR using PR spin, creative legal regimes and its dominant market position all in an attempt to preserve its vast data collection empire,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “It’s heartening to see the EU stand up to Google’s defiance of the law and demand greater protections for consumers.”
Google is still looking at the verdict and hasn’t announced it will be making an appeal. However, some believe that’s a natural next step. “It would be naive not to expect one,” said Phil Lee, partner at European privacy firm Fieldfisher. So far, it all raises more questions than answers. “Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalization — is this the beginning of the revolution, or will fines simply be seen as a cost of doing business?”
As of 22 Jan. the Irish DPA will be the lead supervisory authority for Google’s European services.
Read the full verdict here.
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
SponsoredHow advertisers are leveraging omnichannel attribution and measurement to power CTV
Sponsored by MNTN Connected TV advertising has joined and expanded the larger ecosystem of campaigns that advertisers deploy. As such, omnichannel marketing strategies now encompass television and mobile devices, tablets and other screens such as out-of-home. And as customers engage across these different touchpoints, brands are seeking and moving their measurement and analytics efforts to […]
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?
‘The next level for us’: The New York Times eyes better retention for games in subscription drive
The games division is focusing on finding new ways to mine the inherent competitive nature of games like encouraging people to play multiple games in a single session or through new achievements and rewards for progression.