Google has been fined a record EUR 50 million by French data regulator CNIL for having violated the EU’s data protection rules (GDPR), the BBC reports.
CNIL said it fined the company for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. It added that people were “not sufficiently informed” about the way Google collects data to personalise ads.
Two privacy rights groups had filed complaints against Google in May 2018, when the GDPR took effect in the EU. They claimed that Google did not have a valid legal basis to process user data for ad personalisation.
CNIL said the company had not obtained clear consent to process data because “essential information was disseminated across several documents”.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” the decision reads.
Under GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
A Google spokesperson said that the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. They said that the company was studying CNIL’s decision in order to determine its next steps.