On Jan. 19, the French Data Protection Commission (CNIL) imposed a penalty of $57 million against Google LLC for violating the General Data Protection Regulation (GDPR). The CNIL’s decision is specific to Google’s compliance--or alleged lack thereof--with the GDPR, but businesses subject to similar “GDPR-like” legislation can also learn lessons from this event.

The penalty imposed on Google, although financially significant, is well below the maximum allowed under the GDPR (4 percent of worldwide annual revenue of the previous year).

While Google’s initial reaction to the ruling was to confirm its commitment to meeting GDPR expectations, Google has already announced its decision to appeal.

The Alleged Conduct at Issue

The CNIL alleged that Google does not comply with the GDPR because information about how consumers’ data is processed is “excessively disseminated across several documents” and requires consumers to take several steps to access. Additionally, the CNIL noted that relevant information, including the categories of personal data processed by Google, are described in a “too generic and vague manner.”

The CNIL also concluded that Google does not obtain valid consent for ad personalization purposes. The ruling focused, in part, on Google’s method for obtaining “consent” by means of a “pre-ticked” box, thereby requiring no clear affirmative action from users to indicate agreement to process their personal information.

Practical Takeaways

The lessons to be learned should be observed by not only those businesses subject to the GDPR, but also by those businesses subject to similar “GDPR-like” legislation.

For example, following the effective date of the GDPR, California responded with its own privacy protection law. The California Consumer Privacy Act, which goes into effect on Jan. 1, 2020, greatly expands privacy protections for California residents by providing greater transparency and control over how certain businesses use their personal information. Come 2020, California residents will have rights that are similar in principle to those afforded to European Union (EU) residents, including the right to access information, right to deletion, right to data portability, and the right to opt out.

Given that we are likely to see similar enforcement activity in the near future, both in the EU and the U.S., businesses can extract several lessons from this decision, even if the ruling is ultimately reversed or modified on appeal:

1. Businesses should ensure they are providing all required information in an easily accessible manner. Regulators are no longer judging businesses based only on how much information a business elects to disclose about its data collection, sharing, and use practices. Rather, how such information is disclosed will be a key factor in deciding whether businesses are being “transparent” about their data privacy practices.

As noted by this decision, requiring consumers to review several documents or to click on multiple links to obtain the information they are entitled to will likely draw scrutiny from regulators enforcing GDPR-like regulations.

2. Businesses should avoid vague and ambiguous language in their disclosures, even when such disclosures are required in “categories” of information. Indeed, the concept of disclosing information in terms of “categories” is not unique to the GDPR.

The CCPA, for example, also requires businesses to disclose certain information in terms of categories, including the categories of:

  • personal information collected about a consumer;
  • sources from which the personal information is collected; and
  • third parties with whom the business shares personal information.

While providing information in terms of categories is permissible (and likely required for many multi-jurisdictional companies), the Google decision demonstrates that businesses need to consider the risks involved and must ensure that any categorization provides a sufficient level of information to the consumer.

3. Businesses should consider that mandated disclosure requirements do not only implicate an organization’s formal privacy policies and terms of use, but also implicate the onboarding process. Regulators are investigating these practices primarily through the lens of the consumer when determining whether an organization is being sufficiently transparent.

4. Consent, whenever required, should be obtained through clear and affirmative actions by users who are fully informed of what they are agreeing to. A business can attempt to obtain consent several times throughout its onboarding and user experience processes, however, if such consent is ambiguous or general in terms of its application (e.g., requiring users to consent to the processing of their information as described in an applicable privacy policy), such consent will likely not be upheld. Consent should be specific, unambiguous, and perhaps best obtained through “just in time” notices, which provides information at the time it is needed by the user to make an informed decision.

5. Lastly, while Google may be able to withstand a $57 million penalty, other companies may not be able to do the same. Businesses must dedicate sufficient time, effort and resources to their privacy-compliance efforts. For some, including start-ups, privacy is an issue that is addressed only if the business becomes successful. For these companies, it may be too late or certainly much more expensive to develop successful privacy programs after penalties have been assessed.

Author Information

Sadia Mirza, an attorney at Troutman Sanders LLP, focuses her practice on cybersecurity and privacy issues and compliance across the financial services industry. She is a knowledgeable transactional counsel with experience in-house, positioning her to interact effectively with business, compliance, legal and information security departments.

Sheila Pham, an attorney at Troutman Sanders LLP, focuses her practice on cybersecurity and information privacy. She provides practical counsel and advocacy to clients facing emerging issues and is uniquely positioned to deliver true risk-based assessments by leveraging her litigation experience in both state and federal courts.