The French data protection watchdog CNIL has issued a fine to Google for €50 million (around $57 million). The fine falls under the General Data Protection Regulation (GDPR), brought in by the EU last year.

What is GDPR

The GDPR is a new EU regulation that sets out how data should be handled within the EU, setting up parameters for companies to adhere to. The main points to the regulation are (paraphrased):

Affirmative consent is needed before saving any tracking cookies for any personal data.

A Privacy Officer is required for companies with over 250 employees or companies that deal with sensitive or personal data.

Companies can only store data that is relevant to their business activities and have a responsibility to remove other information.

The right to be forgotten (data can be deleted on your request)

The right to be notified when a company leaks your data.

Companies must remain in control of their data. For example, internal documents should be labeled with their privacy level. Also, companies should know where their data is, so they must crack down on information being stored in multiple places where it is vulnerable to being leaked or not being deleted when the time comes.

Companies can be fined much more under GDPR than under previous data protection laws. The maximum fine is 20 million euros or 4 percent of the company’s annual global revenue, whichever is higher.

Google is the latest company to be hit with a fine for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,”

The CNIL received complaints against Google in Mary 2018 by two non-profit organizations —None Of Your Business (NOYB) and La Quadrature du Net (LQDN).

After receiving the complaints and investigation them the CNIL believed that Google had violated two core privacy rules within the GDPR regulation, transparency, and consent.

One complaint was centered around the allegation that Google makes it too difficult for users to find essential information. Examples of this information include the documents around data processing, data storage periods and categories of personal data used for the ads personalization. Google has been accused of hiding these documents by making them intentionally confusing to find, forcing users to go throw different links, visit different pages and ultimately require 6 separate actions to get to the information.

When users do finally find the page they are looking for, the CNIL says that the information is “not always clear nor comprehensive.”

The other complaint involves how Google obtains its consent to process data for ads personalization purposes. The CNIL believe that Google does not obtain valid consent. For example, when you create a Google account, the option for personalized ads is pre-ticked. This means it could easily be missed by lots of people who didn’t realize they consented. Other boxes are also pre-ticked, such as the “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” when users create an account.