And so it begins.
Less than a year after the General Data Protection Regulation (GDPR) went into effect, the first major corporate penalty has been handed down. CNIL, France’s data-privacy regulatory authority, just fined Google €50 million — and most experts believe this is only the beginning of harsher enforcement actions to come.
The Fine Against Google
Google made two major mistakes, according to CNIL. First, it violated the GDPR’s requirement for transparency. Information about how and why Google collects personal data is “excessively disseminated across several documents,” rather than being in one easy-to-find location. Even when it’s compiled, Google’s descriptions of its “purposes [for] processing are described in a too generic and vague manner” to meet the GDPR’s mandates for clear, comprehensible information.
Second, Google failed to validly obtain consent to use that collected data. Any consent given was insufficiently informed, due in part to the non-transparency of Google’s disclosures. Nor was consent “opt-in,” as required by the GDPR. Additionally, the consent could not be “specific” to any particular service, since Google requires that a user “consent in full” to all of Google’s services in order to access any of them.
But the fine against Google is merely a warning shot. The maximum possible fine was more than $4.7 billion, making $57 million a drop in the bucket by comparison.
The Effect on Businesses
So far, most companies, especially in the U.S., have responded to the GDPR by making their consent forms and data-collection policies more visible but not necessarily more user friendly. Now, “companies large and small may be forced to change the way they collect and store personal information online.”
Bloomberg gloomily predicted that “the ruling [might] portend a broader crackdown on digital advertising,” in which obtaining user consent becomes so burdensome that digital ads become all but impossible to personalize within the law. Such over-regulation, in its view, discounts the possibility that “consumers think all the free and easily accessed services they get [through personalized ads] are a fair exchange for their anonymized data.”
Do This Next
How should corporate ediscovery professionals respond? Rather than waiting to see whether Google appeals — and what the court of public opinion ultimately decides — now is a great time to conduct a critical review of your online consent and data-use policies. Better yet, ask a friend or relative to read them and explain what they mean. If they can’t, or if they refuse to because it takes too long, you’d be wise to revise. Aim for something simple and straightforward enough that the average consumer can read and fully comprehend what data you’re collecting and how you’re going to use it.
Google may be well able to afford a multimillion-dollar fine, but how many businesses can say the same? The good news for smaller businesses is that European regulators seem to be starting their enforcement at the top. Don’t let those lessons be wasted on you.