Companies around the world that want to do business with countries that are part of the European Union must be very careful with how they collect, store, and utilize customer data. This includes being compliant with GDPR policies and regulations.
One of the world’s largest technology companies, Google, has been found to be in violation of these policies and has been fined 50 million euros ($56.8 million) as a result.
The penalty has been imposed at the request of France’s data protection regulator CNIL, which said that the company was not sufficiently transparent about the use of personal information and didn’t obtain specific consent for ad targeting purposes.
CNIL conducted an investigation into Google’s practices after complaints were filed on June 1, 2018 by privacy advocacy group NOYB.eu. One of the complaint’s issues was alleged use of “forced consent,” which made access to services contingent upon agreement to terms.
The CNIL statement said, “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents . . . The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.” CNIL added that the information provided to users is “not always clear nor comprehensive.”
CNIL explained that the amount of the fine was “justified by the severity of the infringements.” It explained that the violations were not isolated but ongoing. The letter also implied one purpose of the fine’s size was to send a message to the market. According to the regulator, these violations are yet to have been rectified by the search giant. Under GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
Responding to the fine, a Google spokesperson said that the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. They said that the company was studying CNIL’s decision in order to determine its next steps. In a later statement, Google announced that it planned to appeal the fine, noting that it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”
Apart from this, Google has also been accused of GDPR policy violations by consumer groups across seven European countries over what they claim are “deceptive practices” around its location tracking.