In a statement on Wednesday, CNIL said Google’s merging of its various services’ privacy policies into a unified policy was in itself legal, but the way in which it implemented that unified policy was not legal.
Specifically, the regulator said, Google did not inform its users enough about how their data would be mixed and matched between the various services, such as Gmail and Google Maps, nor why this data was being combined in this way (hint: advertising).
If this sounds familiar, that’s because it’s almost exactly what the Dutch regulator and a Berlin court said in November. CNIL also said Google didn’t get sufficient user consent before storing cookies on devices, nor was it clear to its users about how long it would keep their data in its systems.
Now, it doesn’t take a genius to note that €150,000 is chump change for Google, but it is the largest fine ever levied by CNIL. The regulator also ordered Google to put a notice on google.fr over 2 days – within 8 days from today – about the decision.
“This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights,” CNIL said.
BONUS FACT: The news drew a quick response from SafeGov.org, which stated:
“Google’s continued violation of and obstinacy against EU data protection rules is deeply concerning, not just to the average consumer, but also to the schools, governments, hospitals and businesses that Google is increasingly targeting. There is an inherent conflict of interest in allowing the world’s largest advertising company to collect, process and store such sensitive personal data. We encourage Data Protection Authorities to look specifically at this issue as they continue to investigate privacy abuses.”
Who’s behind SafeGov.org? Why, Microsoft, of course!