Scarinci Hollenbeck, LLC
The Firm
201-896-4100 info@sh-law.comAuthor: Scarinci Hollenbeck, LLC|March 5, 2019
The French National Data Protection Commission (CNIL) recently imposed a $57 million fine on Google for violating the General Data Protection Regulation (GDPR). Given that the European Union’s new data protection regulation applies to all companies processing and holding personal data of EU citizens, regardless of where they are located, U.S. companies should take notice.
The GDPR governs the data collection and security of the personal information of European Union citizens from 28 member-states. It represents a significant shift in data privacy law and is far more comprehensive than any data privacy law in the United States.
The GDPR contains numerous requirements regarding how personal data is collected, used, and stored. Notably, companies must obtain consent before collecting personal data and allow consumers to revoke their consent at any time. Businesses must also have specific purposes for processing personal data and must collect and process only that personal data that is necessary to fulfil that purpose.
Businesses are required to enact privacy policies, which must be clearly visible and written in plain language. Under the GDPR, businesses must also be equipped to provide consumers with a copy of all the data that has been collected about them. Importantly, businesses must provide an avenue for consumers to change any inaccurate personal data or erase it completely from their systems, which is known as the right to “be forgotten.” This protection does not exist under U.S. privacy laws.
While GDPR compliance is a time-consuming endeavor, the penalties for non-compliance are significant. Entities subject to the GDPR face a penalty of up to four percent of gross revenue if they fail to comply. However, penalties are not the only reason to make sure you are meeting all applicable GDPR requirements. Companies can also reap significant benefits, including improved data efficiency, stronger data protection, and higher levels of trust with customers. In addition, many large companies are now requiring that their business partners certify that they are GDPR complaint.
Google’s alleged GDPR violations largely center on the company’s ad personalization. As described by the CNIL, Google was penalized for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
According to the CNIL, the way Google structured the information it provided to users regarding data collection ran afoul of the GDPR. Its order stated:
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
The CNIL’s order also found that Google’s use of a pre-checked box to obtain users’ consent for targeted ads rendered such consent ambiguous. “Consent is ‘unambiguous’ only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL stated.
The French agency also faulted Google for failing to adequately explain how it uses data collected across various services for ad targeting. “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” the CNIL wrote. “For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, PlayStore, Google pictures…) and therefore of the amount of data processed and combined.”
According to CNIL, the amount of the fine, as well as the publicity of the fine, are “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” In further support of the sizable penalty, the order also emphasized the proliferation of the Android operating system in the French market. “The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” CNIL stated.
Google has stated that it plans to appeal the decision. “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” Google stated. “We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
While the GDPR fine is not good news for Google, the case will likely help other companies with their own compliance efforts. The complaints that formed the basis of the CNIL fine were filed almost immediately after the GDPR became effective in May of 2018. However, until fines are levied, and rulings are appealed, it is difficult to really know how the GDPR will be enforced in the real world. For New York and New Jersey businesses that are subject to the data privacy law, the cases warrant close attention. In the meantime, continuing efforts toward GDPR compliance are strongly recommended.
If you have any questions or if you would like to discuss the matter further, please contact me, Rachel Simon, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
The Firm
201-896-4100 info@sh-law.comThe French National Data Protection Commission (CNIL) recently imposed a $57 million fine on Google for violating the General Data Protection Regulation (GDPR). Given that the European Union’s new data protection regulation applies to all companies processing and holding personal data of EU citizens, regardless of where they are located, U.S. companies should take notice.
The GDPR governs the data collection and security of the personal information of European Union citizens from 28 member-states. It represents a significant shift in data privacy law and is far more comprehensive than any data privacy law in the United States.
The GDPR contains numerous requirements regarding how personal data is collected, used, and stored. Notably, companies must obtain consent before collecting personal data and allow consumers to revoke their consent at any time. Businesses must also have specific purposes for processing personal data and must collect and process only that personal data that is necessary to fulfil that purpose.
Businesses are required to enact privacy policies, which must be clearly visible and written in plain language. Under the GDPR, businesses must also be equipped to provide consumers with a copy of all the data that has been collected about them. Importantly, businesses must provide an avenue for consumers to change any inaccurate personal data or erase it completely from their systems, which is known as the right to “be forgotten.” This protection does not exist under U.S. privacy laws.
While GDPR compliance is a time-consuming endeavor, the penalties for non-compliance are significant. Entities subject to the GDPR face a penalty of up to four percent of gross revenue if they fail to comply. However, penalties are not the only reason to make sure you are meeting all applicable GDPR requirements. Companies can also reap significant benefits, including improved data efficiency, stronger data protection, and higher levels of trust with customers. In addition, many large companies are now requiring that their business partners certify that they are GDPR complaint.
Google’s alleged GDPR violations largely center on the company’s ad personalization. As described by the CNIL, Google was penalized for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
According to the CNIL, the way Google structured the information it provided to users regarding data collection ran afoul of the GDPR. Its order stated:
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
The CNIL’s order also found that Google’s use of a pre-checked box to obtain users’ consent for targeted ads rendered such consent ambiguous. “Consent is ‘unambiguous’ only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL stated.
The French agency also faulted Google for failing to adequately explain how it uses data collected across various services for ad targeting. “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” the CNIL wrote. “For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, PlayStore, Google pictures…) and therefore of the amount of data processed and combined.”
According to CNIL, the amount of the fine, as well as the publicity of the fine, are “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” In further support of the sizable penalty, the order also emphasized the proliferation of the Android operating system in the French market. “The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” CNIL stated.
Google has stated that it plans to appeal the decision. “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” Google stated. “We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
While the GDPR fine is not good news for Google, the case will likely help other companies with their own compliance efforts. The complaints that formed the basis of the CNIL fine were filed almost immediately after the GDPR became effective in May of 2018. However, until fines are levied, and rulings are appealed, it is difficult to really know how the GDPR will be enforced in the real world. For New York and New Jersey businesses that are subject to the data privacy law, the cases warrant close attention. In the meantime, continuing efforts toward GDPR compliance are strongly recommended.
If you have any questions or if you would like to discuss the matter further, please contact me, Rachel Simon, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.