Ooh La La…GDPR Fines Google Beaucoup
Implications of the General Data Protection Regulation
If we were waiting to see what effects the General Data Protection Regulation, fondly known by now as the GDPR, would have on US based companies, we have clues. Another 56.8 million of them – the amount of the fine against Google for non-compliance with the consent requirements of the GDPR.
France’s data protection regulator (CNIL) found that Google was not sufficiently transparent about the use of personal information from its users and didn’t obtain specific consent from users to use that data for ad-targeting purposes, among other claims.
Recall that GDPR requires that users consent to each specific use of their data. For consent to be valid it has to be freely given, specific, informed and unambiguous, and given with a clear affirmative action. GDPR provides that the consent is “specific” only if it is given distinctly for each purpose. While the fine is notable, another notable aspect of this claim is that universal consent forms – which set out the laundry list of uses of data that consumers and users consent to – are no longer going to work for purposes of “specific” under the GDPR.
The burden of showing how consent is obtained often lands in the marketing departments of companies seeking to use that data. Eliminating the validity of the universal consent form adds another burden of compliance when it comes to ad targeting because users will have to affirmatively and specifically consent to ad targeting (or any other specific use) and companies will have to track and monitor these consents.
GDPR may be an EU driven phenomenon, but it has become part of our own discussion on privacy here in the US. While we don’t know for sure what the long-term effects of this ruling will be on the US advertising and marketing industry, it will surely disrupt the joie de vivre of personalized advertising to the EU consumer.
Alas, c’est la vie!