Google has been slapped with a record €50 million ($56 million) fine by the French privacy watchdog, CNIL.
Following an investigation into the Google’s advertising practices, CNIL and other EU privacy regulators found that the company was violating the EU-wide General Data Protection Regulations (GDPR) — some of the strictest controls over consumer data in the world.
So, what did Google do wrong, and what does it mean for Google users, and for other companies bound by GDPR?
What Did Google Do Wrong?
According to CNIL, Google didn’t make it easy enough for everyday users to find and digest information about what Google would do with the data they provided the company.
To be clear, Google did provide the information. But, CNIL said that the detail was too hidden away:
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents,
“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”
Clarity around the collection and use of customer data is one of the central pillars of the GDPR rules, as AlienVault’s Javvad Malik explains:
“The fine can be summed up into lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.”
CNIL also found that Google failed to validly obtain user consent to personalize the ads it fed to users. This is the more serious charge levelled at the search giant, as companies need to jump through a series of hoops in order to legally personalize adverts for EU residents.
CNIL says that Google violated the normal legal collection of data for personalized ad processing in two ways:
“First… users’ consent is not sufficiently informed.
“Then… the collected consent is neither ‘specific’ nor ‘unambiguous.”
Effectively, Google flouted the GDPR rules by not telling users that the data they were providing was going to be used to send targeted ads their way. Going into more detail, CNIL explained:
“When an account is created, the user can admittedly modify some options associated to the account by clicking on the button «More options», accessible above the button «Create Account». It is notably possible to configure the display of personalized ads.
“That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is… pre-ticked… Finally, before creating an account, the user is asked to tick the boxes «I agree to Google’s Terms of Service» and «I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”
Anna Russell, VP at data protection company comforte AG, explains that “When it comes to GDPR” companies need to explain what they’re doing with user data “by telling users in plain language” and “asking users to actively demonstrate consent through an action such as clicking a button” and “always making sure [their] privacy policy [is] easy to find.”
What Does This Mean for Google Users?
If you don’t live in the EU, then it means very little. The GDPR rules don’t extend outside the EU’s borders and, given how lucrative personalized ads are for Google, it’s unlikely the company will stop collecting and processing the information that users hand over for adverts.
If you are inside the EU, though, there’s the possibility that you might see some new pop-ups when using Google services, informing you about privacy policies and the like. These should provide you with a better understanding of how Google is going to use the information you hand over in return for the free use of Gmail, YouTube, the Play Store and more.
However, despite the strongly worded statements from CNIL and the record fine, Google seems to have gotten off pretty lightly, and potentially scott-free.
Tim Erlin, VP at cybersecurity firm Tripwire, is fed up of big companies getting away with it:
“I’d like to see the headlines when these fines are actually paid. Prior to GDPR coming into force, there were endless headlines about the massive fines that could be levied. €50 million may seem like a lot, but the GDPR allows for a maximum of 4% of annual revenue. In Google’s case, that would be about €3.5 billion ($3.9 billion).
“Successful enforcement of the GDPR is an incredibly important step in determining the effectiveness of the regulation. Without teeth, no regulation can make a material difference.”
So, while it’s good to see regulators taking action against Google, there’s still a long way to go before everyone is fully informed and aware of the way their data is being used. And, with governments around the world flailing to get some sort of data privacy regulations in place, it won’t be enough to police practices within the EU only.
Read more about data protection on Tech.co
- Marco Rubio Proposes Another Federal Data Privacy Bill
- The Best (and Worst) Questions Congress Asked Google
- Facebook Fined £500k by the UK’s ICO Agency
- The Top 10 Best VPN Services for 2019
Image credit: Ben Nuttall