Following an investigation into the Google’s advertising practices, CNIL and other EU privacy regulators found that the company was violating the EU-wide General Data Protection Regulations (GDPR) — some of the strictest controls over consumer data in the world. So, what did Google do wrong, and what does it mean for Google users, and for other companies bound by GDPR?

What Did Google Do Wrong?

According to CNIL, Google didn’t make it easy enough for everyday users to find and digest information about what Google would do with the data they provided the company. To be clear, Google did provide the information. But, CNIL said that the detail was too hidden away: Clarity around the collection and use of customer data is one of the central pillars of the GDPR rules, as AlienVault’s Javvad Malik explains: “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.” CNIL also found that Google failed to validly obtain user consent to personalize the ads it fed to users. This is the more serious charge levelled at the search giant, as companies need to jump through a series of hoops in order to legally personalize adverts for EU residents. CNIL says that Google violated the normal legal collection of data for personalized ad processing in two ways: Effectively, Google flouted the GDPR rules by not telling users that the data they were providing was going to be used to send targeted ads their way. Going into more detail, CNIL explained: “Then… the collected consent is neither ‘specific’ nor ‘unambiguous.” Anna Russell, VP at data protection company comforte AG, explains that “When it comes to GDPR” companies need to explain what they’re doing with user data “by telling users in plain language” and “asking users to actively demonstrate consent through an action such as clicking a button” and “always making sure [their] privacy policy [is] easy to find.” “That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is… pre-ticked… Finally, before creating an account, the user is asked to tick the boxes «I agree to Google’s Terms of Service» and «I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”

What Does This Mean for Google Users?

If you don’t live in the EU, then it means very little. The GDPR rules don’t extend outside the EU’s borders and, given how lucrative personalized ads are for Google, it’s unlikely the company will stop collecting and processing the information that users hand over for adverts. If you are inside the EU, though, there’s the possibility that you might see some new pop-ups when using Google services, informing you about privacy policies and the like. These should provide you with a better understanding of how Google is going to use the information you hand over in return for the free use of Gmail, YouTube, the Play Store and more. However, despite the strongly worded statements from CNIL and the record fine, Google seems to have gotten off pretty lightly, and potentially scott-free. Tim Erlin, VP at cybersecurity firm Tripwire, is fed up of big companies getting away with it: So, while it’s good to see regulators taking action against Google, there’s still a long way to go before everyone is fully informed and aware of the way their data is being used. And, with governments around the world flailing to get some sort of data privacy regulations in place, it won’t be enough to police practices within the EU only. “Successful enforcement of the GDPR is an incredibly important step in determining the effectiveness of the regulation. Without teeth, no regulation can make a material difference.” Read more about data protection on Tech.co

Marco Rubio Proposes Another Federal Data Privacy BillThe Best (and Worst) Questions Congress Asked GoogleFacebook Fined £500k by the UK’s ICO AgencyThe Top 10 Best VPN Services for 2019

Image credit: Ben Nuttall