Google fined $57m by French regulator for breaching GDPR
French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the General Data Protection Regulation.
The regulator hit Google on two points: for making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
CNIL has decided that essential information such as data processing purposes, the data storage periods or the categories of personal data used for sending personalized ads are “excessively disseminated” across several documents. This means users can only view the details after clicking through several pages.
The fine is unlikely to cause tremors at Google, whose parent company Alphabet produced $33.6 billion in revenue in the last quarter it reported. Still, it is the first substantial financial penalty to hit a major company for breaching GDPR, and is the first financial penalty issued by CNIL. The only other financial penalty has been issued in Germany against an unnamed social media company.
So far it is CNIL that has been by far the strictest of the DPAs when it comes to warning companies, having scrutinized several mobile location vendors already.
The action could signal what regulators will look for in taking action when many companies are likely in breach of the letter of the regulation. There are several examples of catch-all consent features currently being used. Previously publisher sources have expressed doubt in the authenticity of their consent opt-in rates because they’re counting things like user movement on the page as consent, or users clicking through on articles.
“This historic first fine should serve as a wake-up call to publishers and tech companies alike that GDPR is real and it is here,” said Matt O’Neill, general manager at The Media Trust. “It is crucial that now, more than ever before, media owners have a clear picture of everyone dropping code on their sites and on their users’ devices. The market has been waiting for this moment.”
Under GDPR, regulators want to be satisfied that users are informed why they need to give consent before deciding whether to. That means an individual has to make a clear affirmative action to show they’re giving consent, classed as “unambiguous” under GDPR, and which means no pre-ticked boxes. Currently, Google’s version is a pre-ticked box and for multiple operating purposes, according to CNIL.
The final point is that Google has bundled its services and asked users to agree to give consent for all. The regulator has stressed that under GDPR consent must be given for each purpose the company plans to use the data for, so has said this doesn’t meet the criteria of “specific” consent required.
“People expect high standards of transparency and control from us,” said a Google spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. “We’re studying the decision to determine our next steps.”
Google has been under a steady stream of fire from European regulators for a variety of reasons ranging from antitrust competition to copyright infringement for years. The fine may be pocket change for the company, but it marks the largest fine to be dished out to a company for GDPR to date. Eyes will now be on Facebook, which has also had similar fines levied against it by privacy activists. So far, Facebook has been issued a higher fine by the U.K. regulator ICO for its part in the Cambridge Analytica data breach, but the timing of the fine meant it fell under the old data protection law and was, therefore, a smaller fine, albeit to the tune of £500,000 ($661,000).
Typically, data protection authorities take the lead on companies which have their headquarters within the same country. Google’s European headquarters is in Ireland, which makes the Irish DPA Google’s lead GDPR investigator. However, CNIL maintained it was within its rights to investigate due to the time the complaints were logged last June.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” read the CNIL statement.
Others have been heartened by the result. “For nearly a year, Google has been attempting to undermine the GDPR using PR spin, creative legal regimes and its dominant market position all in an attempt to preserve its vast data collection empire,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “It’s heartening to see the EU stand up to Google’s defiance of the law and demand greater protections for consumers.”
Google is still looking at the verdict and hasn’t announced it will be making an appeal. However, some believe that’s a natural next step. “It would be naive not to expect one,” said Phil Lee, partner at European privacy firm Fieldfisher. So far, it all raises more questions than answers. “Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalization — is this the beginning of the revolution, or will fines simply be seen as a cost of doing business?”
As of 22 Jan. the Irish DPA will be the lead supervisory authority for Google’s European services.
Read the full verdict here.
Member ExclusiveWith the latest crisis, media needs to back up words with actions
For the media industry, this was a week of introspection -- and a time of decision. For all the progressive ideals espoused by publishers, marketers and agencies, most fall well short when it comes to turning words into action.
Down 30% in ad revenue, G/O Media weathers the storm with a new CRO
Despite needing to layoff about 3% of its total staff in April, G/O Media's plan for getting back on its feet includes expanding its team once again.
How BBC Global News has adapted to remote reporting
BBC Global News is launching new shows: In mid-May, a series aired featuring the two strangers discussing their similar experiences dealing with coronavirus.
SponsoredVideo advertisers are turning to format innovation to push beyond interruptive experiences
In a new video, experts from GumGum, The Martin Agency and Pinterest discuss the future of video advertising — and outline their vision for how video ads can be less disruptive.
As protests escalate, advertisers and media owners face a fresh crisis
The fast-moving and highly fractious events surrounding the death of George Floyd and subsequent nationwide protests have plunged advertisers and publisher back into crisis mode.
Member ExclusiveHow Noble People is taking action and managing employees during a time of crisis
Companies are feeling the pressure to respond publicly to the George Floyd protests, but beyond that they have a duty to their employees to know how to better serve them, not just in a time of crisis, but all the time.