The French Data Protection Authority (CNIL) has on January 21, 2019 imposed a financial penalty of 50 Million euros on Google, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, insufficient information and lack of valid consent concerning personalization of ads. How can these breaches to data privacy be translated into design requirements for cookie consent templates so the collection of consents can be validly obtained?
Google has been fined 50 Million Euros by the French Data Protection Authority for breaches to their GDPR obligations.
Following two complaints filed against Google just after the major GDPR deadline on May 25, 2018, the CNIL has concluded that Google has been violating GDPR protocol for not having a valid legal basis to process personal data of the users of its services, particularly for ads personalization purposes. The CNIL concludes there are the following breaches:
- A violation of the obligations of transparency and information
- A violation of the obligation to have a legal basis for ads personalization processing
Two major breaches to data transparency and user consents
Although Google is providing users with information required by GDPR, the CNIL observed that the information is spread across a number of different documents with several buttons and links necessary to access further information. To access GDPR relevant information, the user is required to perform several actions which is deemed unclear and too comprehensive.
Secondly, the legal basis of the ad’s personalization service according to Google’s privacy information notice is consent. However, CNIL claims that the collection of users’ consents is not sufficiently informative.
According to the CNIL, Google violates the obligations of transparency and information regarding data processing operations and observes: The information on processing operations for the ad’s personalization is diluted in several documents and does not enable the user to be aware of their extent.
Within the second breach, there are in fact two major sub breaches which may affect the requirements of transparency and information in the design of future cookie consent banners.
First, it emphasizes that a banner design in which users have easy and direct accessible information about the processing of personal data is the new standard. It underlines the importance of giving a clear, comprehensive and complete picture of the extent and purpose of data processing as well as information about the lawful/legal basis of data collection and processing.
In the images below you will find some cookie consent examples which illustrate how easily you can make information about your data collection and processing via cookies accessible in a consent banner or cookie pop up.
Collection of an “unambiguous” and “specific” consent
The second breach to the GDPR that CNIL noticed, concerns the way Google collects its users’ consents. In the report it is made clear, that Google’s collected consent is neither “unambiguous” nor “specific”. CNIL stresses that a consent is unambiguous only with a clear affirmative action from the user. This underlines the importance of designing a cookie banner with cookie choices where the user must actively tick a non-pre-ticked box.
Furthermore, CNIL emphasizes that Google’s consent is invalid because it asks users to give one full consent for all processing operations purposes carried out by Google. In essence this means to be able to use Google’s services, the user must agree to share all data with Google for all sorts of purposes.
However, to obtain a valid specific consent, the user must be able to give consent distinctly for each purpose i.e. functional, statistical and marketing cookies.
We recommend that you mention the purpose of the cookies on your website in the cookie banner text as well as choosing a banner consent template in which it is possible to opt-in and out of each processing purpose distinctively.
- Read more about collection of valid consent in our article
- Learn more about our Cookie Consent Solution