The French watchdog's fine against Google follows complaints filed by None Of Your Business (NOYB) and La Quadrature du Net (LQDN) on 25 and 28 May 2018 against Google LLC for "not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization goal".
Multiple tech companies were targeted with GDPR complaints after the regulation was enacted in the EU, with Google previously being under fire during November 2018 as the main culprit in complaints filed by multiple consumer groups according to The European Consumer Organisation for deceptive practices to track user location.
They said Google had made it too hard for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
"Users are not able to fully understand the extent of the processing operations carried out by Google". The French digital rights group La Quadrature du Net also lodged a complaint about Google a few days later.
Google said in a statement it is "deeply committed" to transparency and user control as well as GDPR consent requirements.
An investigation into complaints filed against Google a year ago revealed that users were "not sufficiently informed" about its data consent policies, CNIL said.
Google has yet to issue a statement on the fine.
"We're studying the decision to determine our next steps", it said. "It is important that the authorities make it clear that simply claiming to be compliant is not enough", he said.
Last September, Brave Browser filed a GDPR complaint against Google in Britain and Ireland, alleging that the search giant's use of "real-time bidding" to allow companies to purchase personalized ads exposes more user data than is allowed under the regulations, such as ethnicity, sexuality, and political views. However, the GDPR provides that the consent is "specific" only if it is given distinctly for each objective.
"The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes", the CNIL added.
Users' "consent" is now set as the global default setting, which fails to meet the regulator's requirement that companies obtain "specific" consent. In both cases, France said that Google had erred.
Indeed, the user not only has to click on the button "More options" to access the configuration, but the display of the ads personalization is moreover pre-ticked. Companies that violate the legislation may be fined up to 20 million euros or 4 percent of their annual turnover. "It is not a one-off, time-limited, infringement". Ultimately, the GDPR's power is not just about monetary penalties, but forcing changes to business models.