Late last month, France’s data protection enforcement agency, the Commission nationale de l’informatique et des libertés (CNIL), slapped Google with a 50 million euro ($57 million) fine for GDPR violations. (See the CNIL’s decision here in French.) That’s the steepest penalty yet under the new law and more than double the next-highest penalty (20,000 euros for a German social network that did not secure its users’ data).
Specifically, the CNIL claimed that Google’s explanation about how and why it was collecting and storing users’ personal data was not easily accessible. According to the CNIL, the information was difficult for users to find because it was scattered across several documents, so users could not make an informed choice about whether to share their information. The search engine also offered a blanket opportunity to accept or decline all processing activities rather than allowing users to individually accept or decline each individual processing activity. (Users could click on a “more options” link to get to the separate activities.) Google also included a pre-checked box consenting to sharing information for ad personalization, making it the equivalent of an opt-out box rather than the mandated opt-in.
If recent trends continue, Google won’t be the last company to suffer this fate. The European Commission recently released data showing that GDPR-related complaints are rising. On January 25, 2019, leaders of the European Commission issued a statement that national data protection authorities in the EU have “received more than 95,000 complaints from citizens.” The majority of these complaints cite problems with telemarketing, promotional emails, and video surveillance. Meanwhile, organizations have self-reported more than 41,000 data breaches since the GDPR was enacted last May.
And the data protection authority of the German state of Bavaria just announced that it may fine as many as 40 large companies in a variety of industries—not just technology—for their practices relating to website cookies. In a recent investigation, it found that none of the 40 investigated companies, including online retailers, media companies, and financial institutions, among others, were not adhering to the GDPR when it came to their use of tracking tools, including cookies: the majority did not adequately disclose to users that they were using tracking technology by identifying all tracking tools, explain to users why the cookies were collecting their information, or obtain user consent to send cookie data to their third-party cookie provider. Instead, they shared this information as soon as users landed on the website.
The fine against Google serves as a warning shot, and companies need to recheck (or audit for the first time—shame on you!) their compliance. Here are some basic steps to take.
1. Make sure that you have not pre-filled any checkboxes regarding user consent.
2. Ensure that your data consent policies are easy to find, are contained in one document, and are in straightforward language that is easy to understand. The policy should define what types of data your organization collects and which types require user consent. Keep in mind that the longer, more complex, or more confusing the agreement, the less likely it is to pass muster under the GDPR.
3. Make sure you are using appropriate cookie-management tools and not using cookies to collect any information until after users consent to its collection.
Contact us for more information about how to ensure your eDiscovery processes are compliant with the terms of the GDPR.