The CNIL held that, by requiring users to do this, Google failed to comply with two provisions of the GDPR. Firstly, it failed to provide transparent and easily accessible information to users relating to its data consent policies, particularly how personal data is used with regard to personalised advertisements. Secondly, it did not obtain sufficient and specific consent from users for personalised advertisements across its services.
Article 4(11) of the GDPR outlines the criteria for consent as follows:
[C]onsent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’’
In Google’s case, users are requested to consent to a wide range of services with a single action and therefore the consent requested is not specific. To comply with the GDPR, Google must require consent for each of its services. Furthermore, Google’s data collection process needs to be clear and easy to understand, particularly as it can reveal significant aspects of a user’s private life.
The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action, prohibiting the use of pre-ticked and opt-in boxes. Therefore, Google must update its consent gathering mechanisms by offering unticked boxes to allow users the option to consent to a specific service.
It is interesting to note that Google has announced that it is appealing the CNIL’s decision, which should provide further clarity on how the GDPR must be applied in practical situations. Irrespective of the outcome of the appeal, this case serves as a clear indication to all companies to comply with the provisions of the GDPR whether they consent to them or not.