Google and CNIL: a Case of Inappropriately Obtained Consent

By Nicolas St-Sauveur, Lawyer

In its deliberation decision No. SAN 2019 001, the French Data Protection Supervising Authority ("CNIL"), meeting in a restricted committee, ruled that Google LLC ("Google") had failed to comply with its obligations pertaining to transparency and information imposed by General Data Protection Regulation (EU) 2016/679 ("GDPR"), and that the consent on which Google relies for processing personalised advertising was not legitimately obtained.

Without elaborating further on Google's shortcomings, here are some things you should take away from this decision if, for example, you run a company selling to Europeans online (although CNIL does not want to give you too much opportunity to improve things before they sanction you).

The Principal Place of Business

The principal place of business of a data controller (the company which processes personal data) is not determined by its size (number of employees, monetary value of their economic activities, etc.), but by whether it is the place in which decisions are taken regarding the purposes and means of processing personal data, and whether it has the power to enforce these decisions.

In the present case, in the absence of a principal place of business within the European Union, any supervisory authority was competent to bring the action against Google.

The Separation of Consent

This decision reminds us of the importance of separating each request for consent, without pre ticking any boxes in order to obtain bulk consent.

When a company processes complex, technical or unexpected data, it must define, separately and clearly, the main consequences of processing this data to those concerned. The latter (your user, for example) must be informed of how this may affect him, and when seeking consent to use his personal data, you should ensure that he explicitly consents to it (by clicking a button, for example); you may not proceed with processing his data without this consent, even if this person ultimately accepts your privacy policy in order to obtain your services. If several tasks for processing personal data require your user's consent, each request for consent included within your privacy policy must first be configured in such a way that processing is initially refused.  You may only process the data once your user has changed the setting to allow data collection.

Freely Given Consent

In order for consent to be freely given, it is important to ensure that the different services you use to process your users' data are available to view by hyperlink (for example). The users in question must be in a position to understand the nature and the volume of the data you collect about them.

Lots of Privacy Documents and Lots of Clicks: Bad Idea

The use of several electronic documents requiring several "clicks" should be avoided. In the case against Google, users were required to browse through more than one document and to perform up to six actions in order to find some of the relevant information.

The recommended practice is to write the privacy policies by layer. However, we believe that particular attention should be paid to the number of layers and clicks required to access the information. The use of explicit titles in such policies will be useful, since the number of clicks and the ease of locating the necessary information will now become criteria to consider when determining the validity or otherwise of obtaining consent.

Defining the Purposes of Data Processing

When defining the purposes of processing personal data, it is essential to be specific and to highlight the extent of the processing and the degree of intrusion into the data subject's private life. Google has been criticised for defining its purposes too broadly. Here, it should be remembered that giving too many details may confuse the person in question and may also fail to comply with the obligation for transparency. As such, defining these purposes will require precision. Have you specifically stated each purpose of the personal data processing tasks you are carrying out, at the time of collection?

Substantial Damage

CNIL specifies that a lack of transparency regarding the personalisation of advertising (remarketing), as well as a lack of valid consent to this processing by users, constitute substantial breaches of users' privacy and is at variance with the legitimate aspirations of individuals wishing to retain control of their data. If you do business online and are collecting personal data about people within Europe, you should take a look at your privacy policy to ensure it surpasses Google's.

It is advisable to follow developments on this decision, about which Google has appealed to the French Council of State.

Nicolas St-Sauveur is part of BCF's Web team that offers our clients relevant legal services and advice about their presence on the Internet. This constantly evolving environment requires the expertise of a multidisciplinary team like BCF.