Google got dinged by France’s data protection watchdog on Monday for failing to properly collect user consent under the General Data Protection Regulation. It was only a scratch but the ruling could signal a rough road ahead for the industry’s consent framework.
The 50 million euro fine levied by the CNIL (the Commission nationale de l'informatique et des libertés) , around $57 million, is the largest GDPR-related penalty issued to date, but the amount is so slight that it won’t even register on the bottom line of a company that generates multiple billions in advertising revenue every single quarter.
“I think Google might be emboldened by both the magnitude of the fine and the focus on consent collection design specifics rather than their business as a whole,” said Andrew Frank, VP of research and a distinguished analyst at Gartner.
Google can probably improve its consent collection process “without making fundamental revisions,” he said. And as a consumer-facing utility provider, Google is better positioned to obtain consent on a purpose-by-purpose basis than many ad tech companies without direct consumer relationships.
But if Google is getting called out for porting and sharing consent for its own services, where does that leave IAB Europe’s GDPR Transparency and Consent Framework? The IAB proposal is widely seen as the industry’s best bet to enable publishers to effectively share user consent with their key ad tech vendors.
Is that framework in peril?
Maybe. The CNIL has already questioned its viability through a November 2018 enforcement action against Vectaury, a French ad tech company that was called out for using a defective consent management platform to collect permission from its publisher and SSP partners.
The IAB’s consent framework “has always been challenged” by the GDPR’s requirement that consent be “granular,” Frank said, meaning that separate advance consent must be obtained for each data processing purpose.
That said, the jury’s still out on whether the framework will be an acceptable solution from the regulatory perspective.
“It doesn’t seem completely clear whether separate companies can share a common purpose for data processing – that is, to offer targeted advertising – for the purposes of obtaining consent,” Frank said. “There are many parties working on resolving this point.”
But what does seem clear is that it’s time to strap in as regulators crack their knuckles and start to put their new legislative tools to the test.
“We’re in for a very long series of actions and reactions before we settle on some new equilibrium,” Frank said.
And the wind isn’t blowing in Big Tech’s favor. None Of Your Business, the privacy advocacy group whose complaint triggered the CNIL’s case against Google, also has related and pending complaints filed in multiple European jurisdictions against Facebook’s family of apps along with a bunch of other large tech companies.
And that “bodes ill for any free online platform that makes its money through targeting advertising,” said Andrew Burt, chief privacy officer and legal engineer at Immuta, a data management platform that helps companies gather compliant data. “This might be good news for consumers, but it’s not good news for Silicon Valley.”