Google has become the first US tech giant to fall foul of newly introduced EU privacy laws. French data protection watchdog CNIL fined the company a record €50m ($56.8m) on January 21, citing Google’s lack of transparent and comprehensible guidance regarding its data use policies.
The watchdog raised concerns over Google’s “diluted” approach to seeking consent for targeted adverts. According to the regulator, information on how the company uses harvested data is spread across several pages and documents that use “vague” language.
“The general structure of the information chosen by the company does not enable [it] to comply with the [General Data Protection Regulation (GDPR)],” read a CNIL statement. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.”
According to CNIL, information on how Google uses harvested data is spread across several pages and documents that use “vague” language
CNIL stated the size of the fine was due to continuous violations, adding that the substantial revenues Google generates from advertising resulted in a larger penalty. In response to the fine, Google reiterated that it takes user privacy extremely seriously.
“People expect high standards of transparency and control from us,” said a company spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
While the €50m fine is the largest handed to a tech company by a European regulator, it still falls well short of the maximum limit Google could have faced: four percent of its annual turnover.
The investigation and fine came about after two European pressure groups, None Of Your Business and La Quadrature du Net, filed complaints in May 2018. The groups accused Google – and other large online companies, including Facebook – of having no legal basis to process the personal data of the users of its services.
The decision to penalise Google is likely to heighten the concerns of fellow tech companies using similar ad-driven business models. Ultimately, it may force them to reconsider how they acquire user consent for data collection.