Published on Tuesday, January 22, 2019 - 09:03 by Peter Galdies
France’s Data Protection Authority, the CNIL, has announced a 50 million euro fine for Google.
The CNIL determined that personalisation of advertisements was conducted with a lack of transparency, inadequate information and no valid consent. While users can modify some options associated with the account and also configure the display of personalised ads this in itself was not enough as the consents collected were not “specific” or “unambiguous”.
They summarised: "The information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google's legitimate business interests,"
This fine is the first imposed by the CNIL under the GDPR and it warns that further sanctions are on the agenda: “It is not a one-off, time-limited, infringement.”
Google has responded: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of GDPR. We're studying the decision to determine our next steps."
Keen observers will note that consent granularity has been a grey area for many, with businesses often keen to aggregate processes into single consents and with little or no practical guidence on what to do. Hopefully this high profile early case will begin to illustrate just how granular consents must be during data collection.
The case was initiated by two associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was supported by 10,000 people to refer the matter to the CNIL .
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: