What Businesses Can Learn from Google’s Hefty GDPR Fine

Google was fined $57 million for not complying with the General Data Protection Regulation. Learn why Google was penalized so you can avoid the same data-privacy mistakes in your company.

Although it has only been enforced since May 25, 2018, companies are already being fined for not complying with the European Union’s General Data Protection Regulation (GDPR). In January 2019, Google was fined $57 million [USD] by France’s data protection authority, the National Data Protection Commission (CNIL). Google is the first US technology company to be penalized for GDPR noncompliance.

Learning why Google was fined can help you better understand what companies need to do to comply with data-privacy regulations. It is important for all businesses to have this basic understanding because legislation similar to GDPR is being passed in other parts of the world. For instance, in June 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). It gives California residents some of the strongest data-privacy protections in the world. CCPA will start being enforced in January 2020.

Why Google Has Been Fined

GDPR was created to provide data-privacy rights to EU citizens and protect them from data breaches. For example, EU citizens have the right to find out the types of personal data that companies are collecting about them, how the data is being used, and where it is being stored. Furthermore, businesses must ask customers for permission to collect and process their personal information. Companies must also make it easy for customers to withdraw their consent.

Two digital-rights advocacy groups made formal complaints to CNIL about Google’s data processing practices, especially when it comes to personalizing ads. Here is what CNIL found when it investigated the complaints:

Information is not easily accessible. CNIL found that is not easy for Google users to learn essential information about the types of data being collected about them, how that data is being used, and how long it is being stored. According to CNIL, the information is excessively disseminated, forcing users to access multiple documents and perform many steps to get it.

Some information is unclear and inadequate. CNIL discovered that, in some instances, Google’s explanations about how it is using the collected data are too vague, which impedes users’ ability to fully understand the purposes for processing that data. Similarly, the types of personal data being collected and processed is sometimes unclear. Plus, Google does not always specify how long it keeps the data.

There is a lack of valid consent regarding personalized ads. Although Google states that it obtains users’ consent to collect and process data for ad personalization purposes, CNIL found that it is not being validly obtained for two reasons:

• Users are insufficiently informed about the total amount of data being collected and processed to make an informed decision. To personalize ads, Google collects data from many of its websites, apps, and services. However, Google does not tell users the specific sources from which their data is collected and how the various pieces of information are combined to provide personalized ads.
• The consent is not specific. GDPR mandates that companies get customers’ specific, clear-cut consent to collect and use their personal data for each desired purpose. For instance, if a company wants to collect and process customers’ personal data for the purposes of displaying personalized ads and offering speech recognition services, it needs to ask customers for their consent for each purpose individually. Moreover, customers have to give their consent using a clear affirmative action, such as checking a box. (The box cannot already be preselected by the company.) According to CNIL, Google is not following these requirements. To create a Google account, users must select the boxes “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy”. By doing so, users are giving their consent for all of Google’s various data collection and processing purposes (e.g., for ad personalization, for speech recognition services). While users can later configure their settings to stop their personal data from being collected and processed for the purpose of displaying personalized ads, this option is not easy to find. Furthermore, the option giving consent is preselected by Google.

Based on these findings, CNIL fined Google $57 million. The tech giant has already announced that it will appeal the penalty. Even if the appeal succeeds, Google will have likely spent a considerable amount of money and resources challenging the fine. For this reason and others (e.g., less prone to data breaches, increased customer satisfaction), it is a good idea for businesses to make sure they comply with GDPR if they have customers in the European Union.

Although Google Was the First, It Won’t Be the Last

Other well-known tech companies might be following in Google’s footsteps. Complaints have been levied against Facebook, Twitter, and several streaming service providers (including Apple, Netflix, Spotify, and YouTube). Complaints and fines are not limited to large tech companies. Any business that processes or stores the personal data of EU citizens is required to comply with GDPR, regardless of its size or industry.