The announcement from CNIL about their decision to fine Google provide a valuable insight into the thinking of Supervisory Authorities when it comes to transparency (notice) and consent.
Google’s vulnerability to fine is attributed to the complexity of their privacy notice and terms of service. The information a user may wish to find was scattered over several web pages, in different documents, making it difficult for a consumer. Further, CNIL cited that the information was sometimes vague and non-specific again leaving the user uninformed.
The consent issue is related in that a user can not give valid consent under GDPR if the controller is not being transparent about their practices. Further, Google was using one opt-in to accept all aspects of processing under the privacy notice (and terms & conditions) instead of obtaining specific consent across their different platforms (search, YouTube, etc.), Finally, when Google did give an opportunity to the user to tailor their permissions, they used an opt-out instead of obtaining affirmative consent to provide advertising services.
It is also interesting that, while Google’s EU headquarters is Ireland and their lead SA is the Irish Data Protection Authority, it was decided that at least a portion of their business was not subject to the one-stop-shopping provisions of GDPR. The mobile side of Google’s business, the Android operating system, was found to be controlled by Google LLC in the US.
Privacy Ref is recommending to our clients that do business in the EU to review their privacy notice and consent practices with this CNIL decision in mind. For more information or assistance, please feel free to contact our team.