The “massive” €50 million ($57 million) fine is driving the press coverage, but there are far more significant aspects of the French data protection authority (CNIL) finding that Google is in violation of the GDPR. Far from a case of the Euro bureaucrats throwing stones at a US tech giant, the finding has implications for virtually anyone covered by the GDPR.
The initial complaint against Google was filed by privacy advocacy group NOYB (guess what that stands for) on 25 May, the day the GDPR took effect. (This was later joined with a similar complaint from a French group called La Quadrature du Net.) Simultaneously, NOYB filed complaints against Facebook, WhatsApp, and Instagram. Significantly, the four complaints all focused on the practice of “forced consent” – that is, effectively requiring consent to data processing in order to use the service.
The CNIL investigated the complaint using the advanced technique of observing the information and consent requests presented when signing up for a Google account on an Android phone. According to the CNIL’s English (well, Frenglish) language summary of findings, they determined that Google fails to obtain valid consent for three main reasons.
- The information presented by Google about personal data processing is not transparent and easy to understand: “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.”
- The consent request is not “unambiguous,” as it deploys pre-ticked opt-in settings. The GDPR requires an unambiguous and “clear affirmative action” from the user to indicate consent, which precludes the use of pre-ticked settings.
- The consent is not sufficiently specific, since the user is asked only to agree to the processing of personal data “as described and further explained in the Privacy Policy” and Terms of Service. Such a general or omnibus request violates the GDPR’s requirement for separate consent requests for each specific processing purpose. If Google proposes, say, 20 different purposes, the user must be able give or deny consent for each.
There is nothing at all surprising about the CNIL’s findings. Any clever 12 year-old who read the text of the GDPR could tell you that Google’s registration process is obviously, manifestly in violation. What is surprising is that NOYB made the full text of their complaint public in May; the CNIL investigated the registration procedure in late September. That means Google knew precisely where and why they were accused of forcing consent by NOYB, yet they evidently made no changes in the four months before the CNIL investigation. As Max Schrems of NOYB likes to say, Google seems to believe that it is sufficient to simply “interpret the law differently” than the regulators. This refusal to even make a good faith effort to comply with the GDPR could well have contributed to the record fine.
But – seriously – this “massive” fine is meaningless for Google, which made over $303 million each day, every day in 2017. The GDPR says fines should be “dissuasive,” but a €50 million headwind is not going to cause Google to change course. That’s not to say that the CNIL is letting Google off easy. But to see how the thumb screws are being applied, we have to look at . . .
The Real Story: Follow The Real Money
Forget the fine, look at the findings. It’s not that the CNIL holds Google to be in violation of the GDPR, it’s that the specific violations go right to the heart of Google’s business model.
Tellingly, the CNIL’s summary focuses on the failure to obtain valid consent for what they call “ads personalization.” The barely veiled message is that the regulators will not allow Google to claim that personalized ads – and all of the data collection, aggregation, and profiling that powers it – is “necessary” for the fulfillment of a contract to provide a Google service. (As Schrems noted in May, “Whatever is really necessary for [a service] is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”)
The impact on Google is evident in the CNIL’s example of the lack of sufficient information:
“For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”
The excellence and attraction (for advertisers) of Google’s ad personalization is based precisely on the large number and variety of data mining services noted by the CNIL and on the subsequent huge “amount of data processed and combined.”
If, as the decision clearly intends, Google now has to spell out every source of data collection and all of the ways in which it is combined and used – including outside of Google, across devices, and even offline – it is very unlikely that a majority of users are going to agree to surrender a huge amount of personal data just for the dubious benefit of slightly less irrelevant advertisements.
What’s “dissuasive” about the CNIL finding isn’t the fine, it’s the potential disruption of Google’s advertising revenues and the impact on their personalization as a competitive advantage. But, speaking of competitors, now we get to . . .
The Real Real Story: Everybody Back To The Drawing Boards
Recall that NOYB also filed virtually identical complaints about forced consent against Facebook, WhatsApp, and Instagram. Given that the various EU member state regulators are working very hard to coordinate their investigations and interpretations, it’s quite conceivable that the CNIL decision will serve as a kind of template for similar findings against Facebook and crew.
Of course, that will depends upon the details of if and how these services fail to comply with the GDPR. In any case, the CNIL has quite clearly spelled out the types of practices – legalese; complicated, hard to follow process flows; inadequate presentation of opt-out options; pre-ticked boxes; bundled consent requests for separate purposes, etc. – that are not acceptable under the GDPR. But the fact is that easily the majority, and perhaps over 80%, of the consent requests – usually clothed in cookie notifications – currently deployed in response to the GDPR utilize some of these practices.
(One egregious example: Oath (the satanic combination of AOL and Yahoo), where it was necessary to click through nine screens in attempting – and ultimately failing – to opt-out of a single one of their hundreds of processing partners.)
Sound advice is that every company affected by the GDPR should revisit and reevaluate their consent and notification practices in light of the CNIL’s verdict on Google.
Just when you think that you’ve survived the awful test of the GDPR, the CNIL has returned your work, covered in red marks, and bellowed DO OVER!
Need A Workshop?
If your team wants to understand the elements of GDPR and how it affects your marketing and content efforts, let us know. We have full day advisories and workshops designed to ensure that you are getting the best information to be able to lean in to first-party data acquisition, with confidence.