The French data regulator CNIL has fined Google £44m over how its data collection policies violated the terms of GDPR.
According to CNIL, the regulator decided to levy a record fine against the tech giant for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Google’s users were not sufficiently informed as to how the company collected data to personalise advertising on its search engine.
Complaints against the tech giant were filed in May 2018 by the privacy rights groups noyb and La Quadrature du Net (LQDN). The first complaint was filed on the day GDPR went into effect and the groups claimed Google did not have a valid legal basis to process user data for ad personalisation under the new regulation.
While the company’s European headquarters is located in Ireland, authorities decided that the case would be handled by CNIL since the Irish watchdog lacked “decision-making power” over its Android operating system and services.
Lack of consent
The regulator explained that Google had not obtained clear consent to process data in a statement on its site, saying:
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”
CNIL also stressed the fact that the company had failed to obtain a valid legal basis to process user data since the option to personalise ads was “pre-ticked” when creating an account on its site which is in direct violation of GDPR.
Google said that it is studying the regulator’s decision to determine its next steps and in a statement the company reaffirmed its commitment to comply with GDPR, saying:
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Via The BBC