
Privacy
regulators in France have fined Google around $57 million for failing to comply with Europe's sweeping privacy rules.
In a ruling issued Monday, the French National Data Protection Commission (CNIL)
said Google failed to obtain people's unambiguous consent before using their data in order to personalize ads.
"The infringements observed deprive the users of essential guarantees
regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible
combinations," the CNIL wrote.
The GDPR, which went into effect May 25 of last year, requires companies to obtain people's consent before using their data for ad targeting.
The CNIL
said Google's interface included a pre-checked a box that allowed the company to use data for ad targeting. But the use of a pre-checked box was problematic, because it rendered people's consent
ambiguous, according to regulators.
“Consent is 'unambiguous' only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL
stated.
The regulators also faulted Google for failing to adequately explain how it uses data collected across various services for ad targeting.
“The information on processing
operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” the CNIL wrote. “For example, in the section 'Ads
Personalization,' it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps,
PlayStore, Google pictures…) and therefore of the amount of data processed and combined.”
The ruling grew out of complaints filed in May by the groups None Of Your Business, helmed by privacy advocate
Max Schrems, and La Quadrature du Net.
Schrems cheered news of the CNIL's decision. "We are very pleased that for the first time a European data protection authority is using the
possibilities of GDPR to punish clear violations of the law," he stated Monday. "Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the
law differently’ and have often only superficially adapted their products."
None of Your Business has also filed complaints against Facebook and two companies it owns -- Instagram and
WhatsApp.