The French data regulator, CNIL, (the French equivalent of the UK’s ICO) has fined Google €50m, a record when it comes to data protection fines.
The fine follows an investigation after a complaint from privacy rights groups noyb and La Quadrature du Net in May last year about the way consent is collected by Google, for its ad personalisation services.
CNIL said that it is fining Google for its “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”, saying that users were “not sufficiently informed”.
The case against Google relates to a number of issues with the lawful collection (or apparent lack) of consent:
- the fact that the whole process of giving consent was complicated and spread across various documents, where the GDPR requires “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.“
- the use of pre-ticked boxes, where the GDPR requires consent to be “freely given” with a positive action to opt-in and give that consent
- consent was being collected for all processing activities and was not granular enough; for consent to be lawful the GDPR requires that “When the processing has multiple purposes, consent should be given for all of them.”
Google are currently considering the next steps.
If you need help with your own consent processes, a Hub subscription can help – get in touch if you’d like to know more about how the Digital Compliance Hub can help support your business with its GDPR compliance and make sure you have all the right consent processes in place.