Google has been fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU’s data protection rules.
CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The regulator said it judged that people were “not sufficiently informed” about how Google collected data to personalise advertising.
In a statement, Google said it was “studying the decision” to determine its next steps.
Complaints against Google were filed in May 2018 by two privacy rights groups: None Of Your Business (Noyb) and La Quadrature du Net (LQDN).
The first complaint under the EU’s new general data protection regulation (GDPR) was filed on 25 May 2018, the day the legislation took effect.
The groups claimed Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.
Although Google’s European headquarters is in Ireland, it was decided among the authorities that the case would be handled by the French data regulator, since the Irish watchdog did not have “decision-making power” over Google’s Android operating system and Google’s services.
A lack of transparency
The regulator said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents.”
“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” the regulator said.
“Users are not able to fully understand the extent of the processing operations carried out by Google.”
No valid consent
Additionally, the regulator said Google had failed to obtain a valid legal basis to process user data.
“The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,” it said.
It said the option to personalise ads was “pre-ticked” when creating an account, which did not respect the GDPR rules.
“The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc).
“However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”
The regulator said it was Google’s “utmost responsibility to comply with the obligations on the matter”.
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”