Legal Alert: French CNIL Fines Google for Privacy Violations

By: Matthew J. Wiebe

Yesterday CNIL fined Google, Inc. €50 million (nearly $57 million in U. S. dollars) for lack of transparency, inadequate information, and lack of valid consent for data processing related to personalized advertisements.

Created in 1978, the “Commission on Information Technology and Liberties” (CNIL) is a French governmental authority that exists to protect individual privacy. CNIL fined Google for violations of the General Data Protection Regulation (GDPR), which is a European Union law for protecting the personal data of individuals in the E.U. Under French law CNIL’s maximum fine was €300,000, but the GDPR increased those limits to €20 million or more for large companies. The GDPR became effective in May of 2018, so this action may be the first of many.

Google’s violations are grouped into two primary categories: lack of transparency and lack of valid consent. First, Google obfuscated its privacy policies such that even after thorough examination most users would not fully understand Google’s data processing operations. Google “excessively disseminated” relevant information across several locations and forced users to take multiple steps to access it. Making the matter worse, Google’s operations are “particularly massive and intrusive” because of its range of operations, including Search, Translate, Chrome, Maps, YouTube and more.

Second, Google did not obtain valid consent to process users’ data for ad personalization. Because of its lack of transparency, users were not adequately informed about what they were agreeing to. Further, Google’s default setting was to grant permission, which CNIL claimed was not the “clear affirmative action” required by the GDPR. Finally, to create an account on Google users must consent to all of Google’s processing operations, including ad personalization, speech recognition and geo-tracking, rather than consent to or refuse each specific option.

Why is this relevant to a business in West Michigan? In addition to the fact that the web really is world-wide and a vibration in Europe can be felt in the U.S., increased protections for personal privacy may be on the horizon here as well. The Federal Trade Commission has been investigating Facebook’s privacy practices since March of 2018 but has not yet concluded despite pressure from the U.S. Senate. More comprehensive and wide-ranging regulations may be coming. Organizations in the U.S. should consider getting ahead of these laws and consumer sentiment to ensure that their privacy policies and practices stand up to scrutiny. Should you have questions or concerns, Smith Haughey’s attorneys can help review your privacy policies and practices to ensure that they satisfy current regulations and best position your company for future developments.