France’s data protection watchdog, the CNIL, issued its first General Data Protection Regulation (GDPR) fine on January 21, 2019 against Google with respect to personalized ads that are enabled when a new Android user follows Google’s onboarding process.
Two non-profit organizations called None Of Your Business and La Quadrature du Net had originally filed a complaint back in May 2018. While Google’s European headquarters are in Dublin, the CNIL determined that the team in Dublin doesn’t have the final say when it comes to data processing for new Android users, The CNIL concluded, based on their online inspection in September 2018, that Google fails to meet two specific obligations in the GDPR: Transparency and obtaining valid consent.
Lack of Transparency
With respect to the lack of transparency, the regulator stated (translated to English): “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links which must be clicked to access detailed information.”
The CNIL concluded that users are not able to fully understand the extent of Google’s processing activities in the context of personalized advertising or understand the retention period for their data, because Google has been intentionally vague and generic in their disclosures.
Lack of Valid Consent
Given that the legal basis for processing in the context of personalized ads is consent and not the legitimate interests of Google, such consent is not being validly obtained because users are not sufficiently informed. The consent is neither “specific” not “unambiguous” as required by the GDPR – the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default, which is also contrary to the GDPR’s consent requirements.
According to the CNIL, Google should separate the action of creating an account from the action of setting up a device. The GDPR does not allow consent bundling. Google doesn’t tell users that if personalized ads are left on, the user is not only getting them on their Android phone but across many different services from YouTube to Google Maps to Google Photos.
A Google spokesperson has stated: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
What this Means for Internet Based Businesses
The CNIL pointed out that the economic model of Google is partly based on the personalization of ads. With thousands of French people creating Google accounts daily using their smartphones, the company continues to operate in violation of the GDPR.
The reality of today’s Internet experience is that many organizations engage in behavioral advertising and targeted ads. Marketing departments are increasingly given the budget dollars to harness the power of ad networks and third party ad agencies. Google, like most Internet giants, invested in their GDPR compliance efforts leading upto to the coming into force of the Regulation in May 2018, but simply didn’t make major changes to their business models that are now being challenged. Consent is a tricky topic, and it is fair to say that this GDPR decision is a wake-up call for many organizations. Understanding GDPR compliance obligations, how the Regulation will be interpreted and how your service providers and marketing teams get valid consent should be a top priority for Internet based businesses.
For assistance with your GDPR compliance efforts, contact PRIVATECH.0