In January, French data privacy agency CNIL imposed a $57 million penalty on Google for alleged noncompliance with the General Data Protection Regulation (GDPR), a regulation passed by the EU parliament in 2016. It comes as no surprise that the authorities have decided to make Google an example of what is to come if noncompliance is suspected by European regulators.
According to the GDPR rules that took effect in May 2018, “the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.” The law also states that “consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”
Based on how Google collected and used consumer data to create personalized ads, CNIL imposed a fine on Google, alleging that Google did not provide information to its users in a manner that is transparent, informative, and easily understandable. Because Google’s consent policy was deemed insufficient, CNIL stated that Google did not have the legal basis to use the consumer information it collected. Google’s response maintained that the company did everything in its power to create a GDPR consent process, based on the regulatory guidance provided.
There is no doubt that Google will put up a robust defense in its appeal of the French data privacy agency’s $57 million fine. But the significance of this infraction goes beyond what Google did, or didn’t do, in order to be compliant with French regulations. This can be seen as yet another wake-up call for corporations anywhere in the world that track and use consumer data, from tech giants to online retailers. Given the global patchwork of laws and regulations that govern consumer data privacy, it’s easier said than done.