Google has been served with a €50m (£44.1m) fine by the French data regulator for breaching the EU’s rules on consumer data protection, representing the largest fine yet under GDPR.
The National Commission on Informatics and Liberty (CNIL) said Google received the financial penalty for a “lack of transparency, inadequate information and lack of valid consent regarding advert personalization.”
It marks the first time the CNIL has used the EU’s strict General Data Protection Regulation (GDPR).
The authority said Google did not take appropriate measures when asking users for their data.
“The restricted committee observes that the users’ consent is not sufficiently informed,” the CNIL wrote in a statement.
It added that “the collected consent is neither ‘specific’ nor ‘unambiguous’,” because it was difficult for users to modify preferences on where their data was used, particularly concerning targeted ads.
“The user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalization is moreover pre-ticked,” the body wrote.
Two advocacy groups, None Of Your Business (NOYB) and La Quadrature du Net (LQDN), filed group complaints with the CNIL in May 2018. LQDN filed on behalf of 10,000 individuals.
Though today’s fine is the largest under GDPR to date, it is relatively small in comparison to the legislation’s maximum penalty limit of up to four per cent of a firm’s annual global turnover. In Google’s case, the fine could have been more than $4.3bn (£3.3bn) based on revenues of $109.7bn in its last full financial year.
A Google spokesperson said the firm was “studying the decision” to determine its next steps.
Noyb also filed complaints against Apple, Amazon, Google, Netflix and Spotify on Friday, claiming the tech giants had violated users’ rights.