Skip to main content

Google hit with largest GDPR fine to date over lack of data and ad transparency

With the General Data Protection Regulation, Europe set out to unify privacy regulation and “ensure consistency of regulatory decisions for companies and EU citizens.” Google today was fined by France’s privacy regulator over the “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

This investigation began last year when France’s National Data Protection Commission (CNIL) received complaints over Google’s handling of personal data, especially in regards to ads. The French regulator specifically found two GDPR breaches after conducting online inspections in September 2018 on Android.

“A violation of the obligations of transparency and information” centers around Google not centralizing “essential information” on one page, and instead requiring users to go through “up to 5 or 6 actions.”

Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.

Additionally, regulators found that “some information [was] not always clear nor comprehensive,” while Google did not disclose how long it maintains user information.

The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company.

Meanwhile, the second focusses on a “violation of the obligation to have a legal basis for ads personalization processing,” or Google not providing an explicit enough opt-in for advertising during the Account sign-up process on Android.

However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).

As a result, Google was fined €50 million and could receive further penalties if it does not amend these practices. To date, this is the largest fine (via The Verge) issued against a company since GDPR came into effect last year.


Check out 9to5Google on YouTube for more news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com