Home Privacy France Slaps Google With 50 Million Euro Fine – Largest Yet Under GDPR

France Slaps Google With 50 Million Euro Fine – Largest Yet Under GDPR


France’s data protection authority issued a 50 million euro fine against Google on Monday for failing to comply with the General Data Protection Regulation.

Not only was Google found not to have the proper consents in place from its users to collect and process data for personalization and ad targeting, it may not even have a legal basis to do so at all since users are so ill informed about what Google wants to do with their data.

Google relies on consent to process user data for personalization purposes.

According to the CNIL (the Commission nationale de l’informatique et des libertés), Google’s process for obtaining consent isn’t transparent or specific enough and doesn’t give users the information they need to make an informed decision. [Click here to read the English translation of the CNIL’s sanction.]

The CNIL also claims that Google’s approach to data collection is “particularly massive and intrusive” because it doesn’t gather consent for ad personalization for each of Google’s different services separately, including Search, YouTube, Google Home, Google Maps, the Play Store, Google Photo and others.

In other words, Google was found to have committed a cardinal sin under GDPR, which states that a company must obtain consent for each specific way it wants to use personal data. Google also pre-checks boxes by default during the consent gathering process, which is another major GDPR no-no.

The CNIL’s ruling follows a series of complaints filed by two nonprofit groups, La Quadrature du Net and None Of Your Business (NOYB), both of which accused Google of not having a legal basis for processing the personal data of its users.

None Of Your Business is led by Max Schrems, the Austrian lawyer and privacy campaigner responsible for bringing the 2013 legal challenge against Facebook’s international data-sharing practices that ultimately overturned the Safe Harbor agreement.

On May 25, 2018, the day GDPR went into effect in Europe, Schrems and None Of Your Business filed a class action lawsuit against Google for “coercing” its users into giving consent for data collection, which is what the CNIL is now reacting to. Schrems also filed suits against Facebook, Instagram and WhatsApp that day, so another shoe may yet drop impacting Google’s co-duopolist.

The NOYB suits were filed in France, Austria, Belgium and Hamburg, Germany – all jurisdictions with active data protection authorities.

“These places were not chosen arbitrarily or by accident,” noted Dominique Shelton, co-chair of the ad tech privacy and data management practice at Perkins Coie, in a previous interview.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Until now, the CNIL had focused most of its attentions on the little guys, using public enforcement actions to make an example of smaller companies. These companies, mainly French ad tech startups focused on the location data space, were given time to mend their ways rather than being hit with a fine right off the bat.

The CNIL’s action against Google could be “a symbolic message sent to show that not only small companies are targeted by the CNIL – even if 50 million euros is probably only 15 days’ worth of Google France’s revenue,” a French ad tech executive told AdExchanger.

Monday’s fine against Google, which translates to roughly $57 million, is the largest GDPR-related penalty to date and the first time either Google or Facebook is being called to task for running afoul of Europe’s new privacy laws. But it is also chump change for Google, whose ads business brings in billions every quarter.

However, the ruling is portentous for how European regulators feel about the duopoly: wary of large, US-based technology companies and more than willing to crack down.

In July of last year, the European Union hit Google with a $5.1 billion fine for breaking antitrust laws for striking deals with phone manufacturers to favor its Android operating system.

Must Read

Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.

Mozilla acquires Anonym

Mozilla Acquires Anonym, A Privacy Tech Startup Founded By Two Top Former Meta Execs

Two years after leaving Meta to launch their own privacy-focused ad measurement startup in 2022, Graham Mudd and Brad Smallwood have sold their company to Mozilla.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Nope, We Haven’t Hit Peak Retail Media Yet

The move from in-store to digital shopper marketing continues, as United Airlines, Costco, PayPal, Chase and Expedia make new retail media plays. Plus: what the DSP Madhive saw in advertising sales software company Frequence.

Comic: Ad-ception

The New York Times And Instacart Integrate For Shoppable Recipes

The New York Times and Instacart are partnering for shoppable recipe videos.

Experian Enters The Third-Party Data Onboarding Business

Experian entered the third-party data onboarder market on Tuesday with a new product based on its Tapad acquisition.