This week CNIL, the French data regulator, fined the company €50m for what it said was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".
Alongside a handful of other rulings from across Europe, marketers are now starting to get a picture of what compliance looks like.
It also gives us an indication about France’s approach to privacy. When questioned on the regulator’s possible attitude to GDPR enforcement ahead of GDPR coming into force in May 2018, French attorney Annabelle Richard felt CNIL would adopt a “more flexible position when it comes to compliance with the new rights and obligations… provided the companies can show that they have been acting in good faith in taking steps towards compliance”.
Given CNIL’s investigation into Google took place in September last year coupled with the fact they claimed in this month’s finding that nothing had changed between then and now, possibly bears out this assumption.
Aside from the specifics of the ruling there are a few things that stand out. Firstly, this a significant scalp for privacy advocates. One of the most-high profile groups is Noyb (None of Your Business), led by Austrian privacy campaigner Max Schrems.
In reaction to CNIL’s ruling he commented “we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products”. What this decision clearly demonstrates is that actions speak louder than words and businesses must prove they’ve thought about the fundamentals of data usage and storage and made appropriate changes and provisions.
Secondly, when Noyb filed their complaints against Google in May 2018, they also raised objections against other digital businesses including Facebook. Therefore, the Google ruling could be the first of many more over the coming months.
Lastly bundled consent which many digital businesses are relying on to continue functioning, is firmly in the crosshairs of the data regulators. With privacy advocates’ tails up and unequivocal positions from Europe’s data enforcers, the message is clear for any businesses who have pushed GDPR down the priority list.