• by Wendy Davis , January 21, 2019

Privacy regulators in France have fined Google around $57 million for failing to comply with Europe's sweeping privacy rules.

In a ruling issued Monday, the French National Data Protection Commission (CNIL) said Google failed to obtain people's unambiguous consent before using their data in order to personalize ads. 

"The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations," the CNIL wrote.

The GDPR, which went into effect May 25 of last year, requires companies to obtain people's consent before using their data for ad targeting.

The CNIL said Google's interface included a pre-checked a box that allowed the company to use data for ad targeting. But the use of a pre-checked box was problematic, because it rendered people's consent ambiguous, according to regulators.

“Consent is 'unambiguous' only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL stated.

The regulators also faulted Google for failing to adequately explain how it uses data collected across various services for ad targeting.

The ruling grew out of complaints filed in May by the groups None Of Your Business, helmed by privacy advocate Max Schrems, and La Quadrature du Net. 

Schrems cheered news of the CNIL's decision. "We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," he stated Monday. "Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products."

None of Your Business has also filed complaints against Facebook and two companies it owns -- Instagram and WhatsApp.