Google penalty - What are the implications for collection of cookie consents?

Google penalty - What are the implications for collection of cookie consents?

Is your website GDPR compliant?

Book a meeting with our compliance experts. We can scan your website for cookies and breaches to the GDPR and ePrivacy.
Our solutions can make your websites and apps completely GDPR cookie compliant.


The French Data Protection Authority (CNIL) has on January 21, 2019 imposed a financial penalty of 50 Million euros on Google, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, insufficient information and lack of valid consent concerning personalization of ads. How can these breaches to data privacy be translated into design requirements for cookie consent templates so the collection of consents can be validly obtained?

Google has been fined 50 Million Euros by the French Data Protection Authority for breaches to their GDPR obligations.

Following two complaints filed against Google just after the major GDPR deadline on May 25, 2018, the CNIL has concluded that Google has been violating GDPR protocol for not having a valid legal basis to process personal data of the users of its services, particularly for ads personalization purposes. The CNIL concludes there are the following breaches:

  • A violation of the obligations of transparency and information
  • A violation of the obligation to have a legal basis for ads personalization processing

Two major breaches to data transparency and user consents

Although Google is providing users with information required by GDPR, the CNIL observed that the information is spread across a number of different documents with several buttons and links necessary to access further information. To access GDPR relevant information, the user is required to perform several actions which is deemed unclear and too comprehensive.

Secondly, the legal basis of the ad’s personalization service according to Google’s privacy information notice is consent. However, CNIL claims that the collection of users’ consents is not sufficiently informative.

According to the CNIL, Google violates the obligations of transparency and information regarding data processing operations and observes: The information on processing operations for the ad’s personalization is diluted in several documents and does not enable the user to be aware of their extent.

Within the second breach, there are in fact two major sub breaches which may affect the requirements of transparency and information in the design of future cookie consent banners.

Informed consent with accessible cookie policy

First, it emphasizes that a banner design in which users have easy and direct accessible information about the processing of personal data is the new standard. It underlines the importance of giving a clear, comprehensive and complete picture of the extent and purpose of data processing as well as information about the lawful/legal basis of data collection and processing.

In the images below you will find some cookie consent examples which illustrate how easily you can make information about your data collection and processing via cookies accessible in a consent banner or cookie pop up.

Popup showing cookie policyThe cookie policy is accessible directly in the overlay cookie pop up before any action can be taken on the website.

Collection of an “unambiguous” and “specific” consent

The second breach to the GDPR that CNIL noticed, concerns the way Google collects its users’ consents. In the report it is made clear, that Google’s collected consent is neither “unambiguous” nor “specific”. CNIL stresses that a consent is unambiguous only with a clear affirmative action from the user. This underlines the importance of designing a cookie banner with cookie choices where the user must actively tick a non-pre-ticked box.

Popup showing privacy controlsOverlay cookie pop up design with non-pre-ticked cookie choices. The user will have the choice to opt-in or out of cookies set for functional, statistical, marketing purposes respectively.

Furthermore, CNIL emphasizes that Google’s consent is invalid because it asks users to give one full consent for all processing operations purposes carried out by Google. In essence this means to be able to use Google’s services, the user must agree to share all data with Google for all sorts of purposes.

However, to obtain a valid specific consent, the user must be able to give consent distinctly for each purpose i.e. functional, statistical and marketing cookies.

We recommend that you mention the purpose of the cookies on your website in the cookie banner text as well as choosing a banner consent template in which it is possible to opt-in and out of each processing purpose distinctively.

Become GDPR compliant!

Become GPDR cookie compliant today! Book a meeting with our compliance experts and we will provide your website with a professional solution.