Google fined $57m by French regulator for breaching GDPR
French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the General Data Protection Regulation.
The regulator hit Google on two points: for making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
CNIL has decided that essential information such as data processing purposes, the data storage periods or the categories of personal data used for sending personalized ads are “excessively disseminated” across several documents. This means users can only view the details after clicking through several pages.
The fine is unlikely to cause tremors at Google, whose parent company Alphabet produced $33.6 billion in revenue in the last quarter it reported. Still, it is the first substantial financial penalty to hit a major company for breaching GDPR, and is the first financial penalty issued by CNIL. The only other financial penalty has been issued in Germany against an unnamed social media company.
So far it is CNIL that has been by far the strictest of the DPAs when it comes to warning companies, having scrutinized several mobile location vendors already.
The action could signal what regulators will look for in taking action when many companies are likely in breach of the letter of the regulation. There are several examples of catch-all consent features currently being used. Previously publisher sources have expressed doubt in the authenticity of their consent opt-in rates because they’re counting things like user movement on the page as consent, or users clicking through on articles.
“This historic first fine should serve as a wake-up call to publishers and tech companies alike that GDPR is real and it is here,” said Matt O’Neill, general manager at The Media Trust. “It is crucial that now, more than ever before, media owners have a clear picture of everyone dropping code on their sites and on their users’ devices. The market has been waiting for this moment.”
Under GDPR, regulators want to be satisfied that users are informed why they need to give consent before deciding whether to. That means an individual has to make a clear affirmative action to show they’re giving consent, classed as “unambiguous” under GDPR, and which means no pre-ticked boxes. Currently, Google’s version is a pre-ticked box and for multiple operating purposes, according to CNIL.
The final point is that Google has bundled its services and asked users to agree to give consent for all. The regulator has stressed that under GDPR consent must be given for each purpose the company plans to use the data for, so has said this doesn’t meet the criteria of “specific” consent required.
“People expect high standards of transparency and control from us,” said a Google spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. “We’re studying the decision to determine our next steps.”
Google has been under a steady stream of fire from European regulators for a variety of reasons ranging from antitrust competition to copyright infringement for years. The fine may be pocket change for the company, but it marks the largest fine to be dished out to a company for GDPR to date. Eyes will now be on Facebook, which has also had similar fines levied against it by privacy activists. So far, Facebook has been issued a higher fine by the U.K. regulator ICO for its part in the Cambridge Analytica data breach, but the timing of the fine meant it fell under the old data protection law and was, therefore, a smaller fine, albeit to the tune of £500,000 ($661,000).
Typically, data protection authorities take the lead on companies which have their headquarters within the same country. Google’s European headquarters is in Ireland, which makes the Irish DPA Google’s lead GDPR investigator. However, CNIL maintained it was within its rights to investigate due to the time the complaints were logged last June.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” read the CNIL statement.
Others have been heartened by the result. “For nearly a year, Google has been attempting to undermine the GDPR using PR spin, creative legal regimes and its dominant market position all in an attempt to preserve its vast data collection empire,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “It’s heartening to see the EU stand up to Google’s defiance of the law and demand greater protections for consumers.”
Google is still looking at the verdict and hasn’t announced it will be making an appeal. However, some believe that’s a natural next step. “It would be naive not to expect one,” said Phil Lee, partner at European privacy firm Fieldfisher. So far, it all raises more questions than answers. “Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalization — is this the beginning of the revolution, or will fines simply be seen as a cost of doing business?”
As of 22 Jan. the Irish DPA will be the lead supervisory authority for Google’s European services.
Read the full verdict here.
‘Necessity drives innovation’: Despite the economic downturn, upstart agencies are finding their way to launch
Agencies are launching despite— and as a result of — the pandemic as new creative opportunities arise from the disrupted marketing landscape.
‘Fewer, bigger, better’: RFP close rates rise for publishers as buyers look to keep things simple
Some publishers are now closing close to half the RFPs they send out. The trick is getting onto the shortening lists receiving the RFP.
Inside the Atlantic’s triumphant and tumultuous run during the coronavirus pandemic
The Trump 'losers' and 'suckers' scoop provided a boost not only to The Atlantic’s renewed sense of importance, but to its bottom line.
SponsoredFor brand marketers, watch parties are where connections and entertainment meet
Jen Prince, managing director, media and entertainment, Twitter Bridget Harvey, head of media and entertainment strategy, Twitter Next Whether it’s finding new shows, rewatching old favorites or tuning into a history-making world premiere, watching movies and TV at home brings people together during times of isolation. And while audiences are looking to be entertained, they’re also […]
Member Exclusive‘Stricter than the ad tech industry expected’: Apple clarifies its upcoming privacy changes will leave little wriggle room
A recently published FAQ section on Apple's developer site offers more clarification on how its forthcoming app privacy changes will be applied.
‘Retention has been one of our best stories of the year’: Bob Cohn on steering The Economist through crisis
The Economist has recently switched tactics from being 'an acquisition machine' to honing its subscriber retention tactics — a move its recently appointed president says is paying off.