French data protection regulator CNIL has fined Google and its subsidiary Google Ireland Ltd a total of €100 million for automatically placing advertising cookies on users' devices without obtaining prior consent, thereby amassing huge advertising income at the expense of users' privacy.
Commission nationale de l’informatique et des libertés (CNIL), the official data protection regulator of France, issued two fines of €60 million and €40 million respectively to Google LLC and Google Ireland Limited for "having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information."
The fine was imposed following an investigation into Google's adherence to the General Data Protection Regulation (GDPR) and the French Data Protection Act that began in March this year. CNIL found that not only did Google automatically placed cookies on users' devices, but it also failed to inform users about the placement of cookies, and failed to withdraw advertising cookies from users' devices even when users did not wish to keep cookies in their devices.
"The restricted committee imposed a financial penalty of 60 million euros on GOOGLE LLC and another one of 40 million euros on GOOGLE IRELAND LIMITED and decided to make them public. The restricted committee justified these amounts having regard to the seriousness of the breach of Article 82 of the French Data Protection Act, that has been observed in relation with three aspects," CNIL said.
"It also highlighted the scope of the search engine Google Search in France and the fact that the practices of the companies affected almost fifty million users. Finally, it noted the significant profits of the companies deriving from the advertising income indirectly generated from data collected by the advertising cookies."
Even though Google changed its policy regarding the placement of cookies after CNIL highlighted the company's data protection failings, CNIL observed that a new information banner put up by Google on google.fr did not allow users to understand the purposes for which the cookies are used and does not let them know that they can refuse these cookies.
Google was fined £44 million in 2019 for data protection failings
This is not the first time that Google has drawn the ire of CNIL due to its data protection failings. In January last year, CNIL issued a fine of 50 million euros (£44 million) to Google for failing to adhere to GDPR requirements while obtaining consent from users to process their personal data for delivering personalised advertisements.
CNIL said that Google was guilty of violating GDPR as far as obtaining user consent for the collection of personal data was concerned as the company did not take specific or unambiguous consent for processing personal data for different websites or applications, nor were users sufficiently informed about how or for what purposes their personal data will be processed.
"Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.
"The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service," CNIL observed.
"Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined.
"Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data," it added.