|
Google has been fined for failing to obtain user consent in full before personalising adverts.
CNIL said Google users were not sufficiently informed that their personal data was collected by Google to deliver more targeted advertising. It said Google practised a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation” and did not have a valid legal basis to process user data.
“The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,” CNIL said. It added that the box to consent to personalised ads was pre-ticked, information on how data is processed and stored is spread across several documents, and information about retention periods is not provided for some data. Moreover, users give blanket tickbox consent to processing personal information before they can create an account.
The Google fine is the largest under the GDPR and the first time the French regulator has issued a GDPR penalty since the new rules, which raise the bar for fines levied on corporates that hold and misuse personal data.
The French regulator took on the investigation following complaints from two privacy rights groups the day the new legislation took effect on 25 May 2018. CNIL was designated the lead authority between European data regulators, in particular Ireland where Google has its European headquarters.
Google’s fine exceeds the €20m sanction limits under the GDPR and instead has been based on the alternative 4% of annual turnover option, as set out under the GDPR. Google said it was studying the decision to determine its next steps, adding it is committed to the GDPR’s consent requirements.
Full article on Commercial Risk (subscription required)