Google has been hit with the most significant fine since the launch of GDPR last May. Is it a wake up call for marketers?
Google has been fined €50m (£44m) for breach of GDPR laws. The fine, levied by French regulator CNIL, is the largest and most significant to be announced since GDPR regulations were first actioned by EU member states, in May 2018.
The regulator said Google had not taken the necessary action to make its consent options easy for customers to opt out of.
"The relevant information is accessible after several steps only, implying sometimes up to five or six actions," the regulator said.
"Users are not able to fully understand the extent of the processing operations carried out by Google."
The regulator’s statement also implied that options to personalise adverts were ‘pre-ticked’ when customers set up accounts with the tech behemoth, which was in breach of GDPR rules.
"The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc).
"However, the GDPR provides that the consent is 'specific' only if it is given distinctly for each purpose."
In response, Google issued a statement confirming their desire to comply with the regulator’s requirements: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
Major issues ahead?
Speaking to the New York Times, data policy expert Johnny Ryan said that the size of the fine was, to some degree, immaterial, compared with the context of why Google had been found to be unlawful. Indeed, the EU only recently fined the company an eye-watering £5bn for violation of antitrust rules.
The real story is not that Google was fined, but that its business may be significantly disrupted from today on.
— Johnny Ryan (@johnnyryan) January 22, 2019
“CNIL’s decision is very significant because it means that Google must stop building advertising profiles about people until it has properly told them what it is doing and received their consent,” Ryan said.
“It is likely that many people will say no to being profiled by Google when they learn the truth,” he said.
According to Cliqz research, 80% of all the web pages we load every day contain Google tracking software. Dr.-Ing Marc Al-Hames, the managing director at Cliqz says it is “almost impossible” to opt-out of advertising profiling by Google.
“The Internet giant is raising behavioural profiles in alarming detail above virtually everyone in the Western world and using them for advertising purposes. Google users have no effective way to escape tracking. And even those who completely forego Google services stand no chance: That so many web pages are being tracked is alone more than enough to monitor our behaviour in the digital world.”
A wake-up call for marketers
Whilst Google may be feeling the effects of the fine, it also asks major questions of all businesses – especially their marketing leaders whom may have been forgiven for believing the fundamental challenge of GDPR had been resolved in May 2018.
“The news should be hitting companies like a cold shower,” says Matt Lock, a director at Varonis.
“It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”
The news should be hitting companies like a cold shower
Marketers and customer data leaders are encouraged to reengage with the correct stakeholders within their business on the topic of GDPR, if their lines of communication have lapsed:
“Many organisations are still unsure whether their GDPR compliance strategy is 100% fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort,” says Ryan Kalember, SVP, cybersecurity strategy at Proofpoint.
“The magnitude of this fine clearly shows this is a business-wide issue. Compliance professionals [from all departments] now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.”
Anna Russell, VP at comforte AG says marketers need to be more vigilant in the wake of the fine, and should lean on their core skills as communicators to better articulate consent options with their customers and prospects.
“When it comes to GDPR, it’s always best to err on the side of caution, whether that’s in matters of gaining user consent, pseudonymisation of personal data, reporting breaches or otherwise.
“No matter if you’re a start-up with just a few hundred contacts or a tech giant managing a database of millions, it is of vital importance to gain and document consent from users whose data you collect or process.
It is of vital importance to gain and document consent from users whose data you collect or process
Among a faction of the legal profession, there remains a degree of sympathy for marketers caught in the malaise of trying to balance stringent data law with the wants and expectations of their customers.
A recent survey from SurveyMonkey found that 63% of consumers think marketers are selling them things that aren’t relevant to them, whilst numerous studies in 2018 highlighted that customers expect a richer level of personalisation from brands that engage with them online.
"The targeted advertising industry faces a serious challenge,” says Ron Moscona is a partner at the international law firm Dorsey & Whitney. “How to operate in a legal environment that requires that users permit the use of their data for profiling and advertising purposes and still offer its fundamental services at low or no cost to users.
“The industry has evolved over the years with different standards in the United States. The data obtained from users can be hugely valuable. Consent can be a significant hurdle to harvesting that data, but business models are evolving, and companies are beginning to learn what regulators in the EU expect.”
It is widely anticipated that further major fines will be dished out to some of the globe’s other leading tech companies over the coming months, yet it is arguably those not facing the immediate wrath of Europe’s regulators that should be jolted into action first – especially in the marketing function where the effects of the regulations are being felt most acutely.