On January 21, 2019, the French National Data Protection Commission (CNIL) fined Google LLC €50 million for the lack transparency, inadequate information, and lack of valid consent for its personalized advertisements. Just after the General Data Protection Regulation (GDPR) took effect, two privacy advocacy groups filed complaints against Google claiming that it did not have a valid legal basis to process personal data for its personalized advertisements. Based on the findings of its investigation, the CNIL identified two separate violations of the GDPR: (1) lack of transparency and information; and (2) the absence of a legal basis for processing personal information.

The CNIL found that information provided by Google about the personalized advertisements was not easily accessible for users, as the information was spread across several documents, requiring users to click on buttons and links to access the requisite information. The CNIL also found that Google had not obtained informed consent from its users. Although the CNIL noted that Google users could “modify some options associated with their account by clicking on the “More Options” button, the personalization of advertisements was pre-selected, which was not the “unambiguous” consent required by the GDPR. The CNIL also noted that Google users had to agree to Google’s Terms of Service before they could open an account, which was not the specific consent required by the GDPR.

In imposing the €50 million fine, the CNIL noted that this was the first time it had applied the new sanctions under the GDPR and that the amount of the fine and its public nature were justified by the severity of Google’s continuous infringements of the essential purposes of the GDPR: transparency, information, and consent.

TIP: Companies should review their consent practices to ensure they provide accurate and transparent information about the use of the data and allow the users to give informed consent pursuant to GDPR.