CNIL fines Google €50M for lack of transparency

Google has been fined €50M by the French Data Protection Authority for breaches to their GDPR obligations.
Table of Contents

The French Data Protection Authority (CNIL) has on January 21, 2019 imposed a financial penalty of 50 million euros on Google. 

The fine is given for lack of transparency, insufficient information and lack of valid consent concerning personalization of ads. 

How can these breaches to data privacy be translated into design requirements for cookie consent so your website can collect valid consent to cookies?

Two major breaches to data transparency and user consents

Following two complaints filed against Google just after the major GDPR deadline on May 25, 2018, the CNIL has concluded that Google has been violating GDPR protocol for not having a valid legal basis to process personal data of the users of its services, particularly for ads personalization purposes

The CNIL concludes there are the following breaches:

Although Google is providing users with information required by GDPR, the CNIL observed that the information is spread across a number of different documents with several buttons and links necessary to access further information. 

To access GDPR relevant information, the user is required to perform several actions which is deemed unclear and too comprehensive.

Secondly, the legal basis of the ad’s personalization service according to Google’s privacy information notice is consent. 

However, CNIL claims that the collection of users’ consents is not sufficiently informative.

According to the CNIL, Google violates the obligations of transparency and information regarding data processing operations and observes: The information on processing operations for the ad’s personalization is diluted in several documents and does not enable the user to be aware of their extent.

Within the second breach, there are in fact two major sub breaches which may affect the requirements of transparency and information in the design of future cookie consent banners.

Google not collecting valid consent

First, CNIL emphasizes that a banner design in which users have easy and direct accessible information about the processing of personal data is the new standard. 

It underlines the importance of giving a clear, comprehensive and complete picture of the extent and purpose of data processing as well as information about the lawful/legal basis of data collection and processing.

The second breach to the GDPR that CNIL noticed, concerns the way Google collects its users’ consents. In the report it is made clear, that Google’s collected consent is neither “unambiguous” nor “specific”. 

CNIL stresses that a consent is unambiguous only with a clear affirmative action from the user

This underlines the importance of designing a cookie banner with cookie choices where the user must actively tick a non-pre-ticked box.

Furthermore, CNIL emphasizes that Google’s consent is invalid because it asks users to give one full consent for all processing operations purposes carried out by Google.

In essence this means to be able to use Google’s services, the user must agree to share all data with Google for all sorts of purposes.

How to collect valid consent to cookies?

Update: Since the CNIL’s fine on Google in January 2019, the European Court of Justice has ruled (October, 2019) that consent is only valid if it is actively given. Checkboxes for cookies must be “off” as default. 

Here’s a short checklist to become cookie compliant on your website. 

Checklist for collecting
valid consent to cookies