France’s data protection regulator (CNIL), also called National Commission of Informatics and Civil Liberties, said the company was not sufficiently transparent and did not prominently disclose required information to users or validly obtain their consent for ad targeting.
Google has become the target of the largest GDPR consent violation fine by CNIL, after privacy advocacy groups ‘None Of Your Business’ (noyb) and La Quadrature du Net filed complaints on June 1, 2018, against Google and Facebook. One of the complaint’s issues was alleged to use of “forced consent,” since some service could be accessed only after agreeing to terms. The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Androids onboarding process. Though Google’s Europe HQ is in Dublin, the CNIL observed that when it comes to data processing for new Android users, the final say comes from Mountain View, outside of EU, giving them a reason to continue the investigation in Paris.
Quoting the CNIL statement, “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents . . . The relevant information is accessible after several steps only, sometimes up to 5 or 6 actions.” CNIL added that the information provided to users is “not always clear nor comprehensive….The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent . . . [in addition] the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous.’”
GDPR mandates clear consent to be obtained for each specific data use case, and in this case, a violation was found. The staggering amount of the fine was due to the privacy infringement practice being an on-going process, not a one-time slip-up. Also, clearly, this is one case the regulators want to use to send a clear and stern message to the market.
In Google, if a user wants to know how their data is processed to personalize ads, it takes 5 or 6 taps, and then it gives obscure and general information. Also, CNIL maintains that Google’s consent flow doesn’t comply with the GDPR since, by default, Google pushes to sign in or sign up to a Google account. Under GDPR, Google should separate account creation from setting up a device, given that consent bundling is illegal under the GDPR. Moreover, Google doesn’t ask for clear, unambiguous consent during account creation. The option to opt out of personalized ads is hidden behind a “More options” link, which is, in most cases, pre-ticked by default, which is unacceptable. Google also asked users to tick on-“I agree to the processing of my information as described above and further explained in the Privacy Policy” when you create your account. GDPR does not allow this kind of broad consent.
Despite this being a European issue, it will have a global impact, since some of its provisions could make their way into U.S. privacy legislation and regulation, and then it could also influence politicians and lawmakers at the state level. From the point of view of marketers, this could be a whole new issue. Decidedly, if individual use cases for ad targeting are called out, and consent is needed for each and every point, a majority of Europeans are likely to decline to allow major ad platforms to use their data. This is certainly going to impact ad display ad effectiveness and Google and other marketers will need to start educating about the advantages of personalized marketing. At the present, this seems like a tall task, no one will be in the mood to listen!
A Google spokesperson issues a statement to the press saying that, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
For now, this is the first ever strong step GDPR as taken in the global arena- big money and big brands notwithstanding.
