Google fined $57m by French regulator for breaching GDPR
French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the General Data Protection Regulation.
The regulator hit Google on two points: for making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
CNIL has decided that essential information such as data processing purposes, the data storage periods or the categories of personal data used for sending personalized ads are “excessively disseminated” across several documents. This means users can only view the details after clicking through several pages.
The fine is unlikely to cause tremors at Google, whose parent company Alphabet produced $33.6 billion in revenue in the last quarter it reported. Still, it is the first substantial financial penalty to hit a major company for breaching GDPR, and is the first financial penalty issued by CNIL. The only other financial penalty has been issued in Germany against an unnamed social media company.
So far it is CNIL that has been by far the strictest of the DPAs when it comes to warning companies, having scrutinized several mobile location vendors already.
The action could signal what regulators will look for in taking action when many companies are likely in breach of the letter of the regulation. There are several examples of catch-all consent features currently being used. Previously publisher sources have expressed doubt in the authenticity of their consent opt-in rates because they’re counting things like user movement on the page as consent, or users clicking through on articles.
“This historic first fine should serve as a wake-up call to publishers and tech companies alike that GDPR is real and it is here,” said Matt O’Neill, general manager at The Media Trust. “It is crucial that now, more than ever before, media owners have a clear picture of everyone dropping code on their sites and on their users’ devices. The market has been waiting for this moment.”
Under GDPR, regulators want to be satisfied that users are informed why they need to give consent before deciding whether to. That means an individual has to make a clear affirmative action to show they’re giving consent, classed as “unambiguous” under GDPR, and which means no pre-ticked boxes. Currently, Google’s version is a pre-ticked box and for multiple operating purposes, according to CNIL.
The final point is that Google has bundled its services and asked users to agree to give consent for all. The regulator has stressed that under GDPR consent must be given for each purpose the company plans to use the data for, so has said this doesn’t meet the criteria of “specific” consent required.
“People expect high standards of transparency and control from us,” said a Google spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. “We’re studying the decision to determine our next steps.”
Google has been under a steady stream of fire from European regulators for a variety of reasons ranging from antitrust competition to copyright infringement for years. The fine may be pocket change for the company, but it marks the largest fine to be dished out to a company for GDPR to date. Eyes will now be on Facebook, which has also had similar fines levied against it by privacy activists. So far, Facebook has been issued a higher fine by the U.K. regulator ICO for its part in the Cambridge Analytica data breach, but the timing of the fine meant it fell under the old data protection law and was, therefore, a smaller fine, albeit to the tune of £500,000 ($661,000).
Typically, data protection authorities take the lead on companies which have their headquarters within the same country. Google’s European headquarters is in Ireland, which makes the Irish DPA Google’s lead GDPR investigator. However, CNIL maintained it was within its rights to investigate due to the time the complaints were logged last June.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” read the CNIL statement.
Others have been heartened by the result. “For nearly a year, Google has been attempting to undermine the GDPR using PR spin, creative legal regimes and its dominant market position all in an attempt to preserve its vast data collection empire,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “It’s heartening to see the EU stand up to Google’s defiance of the law and demand greater protections for consumers.”
Google is still looking at the verdict and hasn’t announced it will be making an appeal. However, some believe that’s a natural next step. “It would be naive not to expect one,” said Phil Lee, partner at European privacy firm Fieldfisher. So far, it all raises more questions than answers. “Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalization — is this the beginning of the revolution, or will fines simply be seen as a cost of doing business?”
As of 22 Jan. the Irish DPA will be the lead supervisory authority for Google’s European services.
Read the full verdict here.
How publishers are handling the Juneteenth holiday this year
A number of publishers are observing Juneteenth this year, but not in the same way, with some making it an official holiday and others encouraging employees to use their PTO to take the day off.
Member ExclusiveMedia Briefing: How media companies’ DE&I efforts, office return statuses are affecting hiring
This week's Media Briefing looks at how issues like diversity, equity and inclusion and office return statuses are factoring into media companies' ability to hire people.
Cheat Sheet: How new antitrust bills could force more data access from Facebook and Google (and stop them from favoring their own services)
A set of bills proposed recently could force platforms to stop favoring their own services and give more data access and tech connectivity to others.
SponsoredIdentity solution fatigue is setting in: How to keep moving
By Kristina Prokop, CEO and co-founder, Eyeota As we move deeper into 2021, the desperate search for identity solutions that can smooth marketing organizations’ transitions to a cookieless world is reaching a fever pitch. There’s no shortage of new identifiers and identity technologies vying for attention — and that’s a big part of the problem. […]
Single-source panel measurement is key to optimizing social media planning, says DISQO report
New study is based on responses from 166,000 U.S. consumers in February and March, each of whom voluntarily allowed to have their digital behaviors observed.
BuzzFeed will finally monetarily reward its Community users for their viral quizzes, lists
BuzzFeed is testing to see if user-generated content could identify new areas of coverage for its staff, and bring in niche audiences, with a new summer program that could pay a contributor up to $10,000 for a viral post.