The largest fine so far under the General Data Protection Regulation—Europe’s new data privacy law— has been levied against Alphabet, Inc.'s Google for allegedly failing to get adequate user consent to push targeted ads.
The $57 million fine was imposed by the French data protection authority CNIL, which said they began investigating Google’s advertising practices in the spring of 2018 after they received two complaints from two European data privacy consumer organizations on behalf of more than 10,000 people.
The investigation concluded that Google buried privacy information under layers of links and buttons that made it hard for users to find, and the information itself was confusing and unclear. CNIL also concluded that when Google does claim to obtain consent through its myriad user settings, “the collected consent is neither ‘specific’ nor ‘unambiguous.’
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” the CNIL said in a statement. In an example, the CNIL said a user browsing the “Ads Personalization” section might not be aware of the “plurality of services, websites and applications involved in these processing operations," like Google search, Maps, Home, Play Store, YouTube “and therefore the amount of data processed and combined.”
In a statement, Google said they’re committed to high standards of transparency and “deeply committed to meeting those expectations and the consent requirements of the GDPR."
“We’re studying the decision to determine our next steps,” a Google spokesman said.
With a market cap of $760 billion, the 50 million Euro fine will have little impact on Alphabet’s bottom line, but the ruling does signal how European regulators plan on forcing tech companies that profit from user data to be more upfront with how they collect and use that information. It also signals what penalties other tech giants might face under GDPR in the coming weeks and months.
One of the two organizations that filed the complaint, noyb, has filed nearly a dozen other complaints for alleged GDPR violations against Facebook, Amazon, Apple, and others.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, chairman of noyb in a statement. “We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
This isn't the first time Google has been hit with fines from European regulatory agencies. Last year, the firm was fined €4.34 billion for violating EU antitrust rules after an investigation into restrictions they imposed on Android manufacturers and network operators to use Google search and browser apps. At the time, a regulator for the European Commission said the company was using Android as a vehicle to cement the dominance of its search engine and squelch competition.