French data protection CNIL regulator fines Google over consent

The French version of the ICO (Commision Nationale de l’information et des Liberties – CNIL) has issued the first high profile penalty notice (€50m) against Google “in accordance with GDPR for lack of transparency, inadequate information and lack of valid consent regarding ad personalization.”

 As Googles European headquarters are in Ireland it might seem strange that France is leading this particular case but they have a large enough organisation to be able to conduct this sort of action and quite prepared to take this all the way. Google is considering their response and will probably launch an appeal. Googles parent, Alphabet, turned over $110bn in 2017 so probably has deep enough pockets to see this through.

CNIL’s decision was bought about after studying complaints bought about by privacy rights group None of Your Business (NOYB) and digital rights group La Quadrature du Net (LQDN). They felt that Googles pop-up forms relied on ‘forced consent’ implying that services would not be available without signing up. CNIL agreed and felt that consumers consent before using Googles services should have been specific and unambiguous. They felt that Google gave insufficient information on which to base consent and that the information presented to users was vague or generic with no clear information on retention. Consent was then extended across multiple services.

Are consumers that bothered? Probably, if they realised what data is held on them and how it is used. Guardian Journalist Dylan Curran wrote an article in 2018 that explained how some of the data is stored and used. You may not want that level of disclosure of your private life and as Curran stated…” This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos.” The services are mostly “free” but we should understand that they come at a price.

To date many companies are still using blanket consent and counting user movement on a page or click-through as consent so this news on Google will certainly make large companies sit up and pay attention as they should now realise that EU regulators will be willing to use the new powers granted under GDPR.

Leave a Reply

Your email address will not be published. Required fields are marked *