EU privacy regulators tightly interpreted GDPR definitions of “adequate notice” and “valid consent”, clarifying standards that companies use for gathering information from EU residents. Notice of processing must be clear and easy for consumers to find, and obtaining a data subject’s consent has become much more difficult, with extensive permission requirements for multiple processing of the same data.

On January 21, 2019, one of the EU’s data privacy regulators (France’s Commission nationale de l'informatique et des libertés or “CNIL”) imposed its first GDPR fine. The CNIL narrowly interpreted the GDPR’s requirements for transparency and valid consent, applying them to marketing and ad personalization preferences. To provide “adequate notice”, website users need easy access to the information. If it takes several clicks to learn about a company’s data processing practices, then those users probably do not have adequate notice as defined in this decision. With its hefty fine (€50,000,000.00), the CNIL emphasizes the severity of these GDPR violations.

The ruling included an analysis of online privacy notices, stating that “layered” notices (i.e., notices with lots of “clicks” to discover information) did not comply with the transparency requirements under the GDPR. Essential information, such as data processing purposes, data storage periods and the categories of personal data used to personalize ads, cannot be buried in multiple online policies and must be transparent to applicable data subjects as required by the GDPR.

Further when a company relies on data subject consent as the lawful basis for processing data, specific and unambiguous consent under the GDPR must be obtained, including when information is being processed for personalized ads. The GDPR rules require that consent cannot be valid unless (1) the data subject is adequately informed of the purpose of processing personal data, and (2) the consent notice is specific and unambiguous. According to this CNIL decision, pre-ticked boxes (i.e., data subjects are “opt-in” to data collection unless those subjects act to uncheck a box) do not allow data subjects to make a meaningful choice as part of an “I agree to the following” processing submission. Even if the box is not pre-ticked, a data subject must be given information (and the right to consent) to each type of processing performed by the company collecting the data. The CNIL does not find that the data subject adequately or validly consented to having his/her data collected when a data subject is offered a catch-all consent question covering all data processing for all purposes.

For more detail, see the analysis by Womble Bond Dickinson’s EU privacy lawyers in the UK:

Or the CNIL’s decision: (press release available as of January 23, 2019)