In January, Google was fined EUR50 million for breaching GDPR rules. Levied by French regulator CNIL, the fine is the largest and most significant since GDPR was introduced in May last year, but the implications run beyond the money.
It means Google will have to stop building advertising profiles about users until it has properly informed them what it is doing and received their explicit consent. In all likelihood, many people will say 'no' to being profiled by Google once they learn the truth.
The search engine giant was fined for not taking the necessary action to make its consent options easy for consumers to opt out of, and the French regulator found users were unable to fully understand the extent of the processing operations carried out by Google.
Tim Walters, principal strategist and privacy lead at content strategy consultancy Content Advisory, says: 'In the opening pages of the GDPR, Recital 7 states natural persons should have control of their own personal data. That's 10 words that can easily be reduced to eight, since 'natural persons' are people, and 'their own personal data' is redundant. People should have control of their personal data."
Walters calls this the core principle or prime directive of the GDPR. "I'm not a lawyer, but I'm convinced it's fair to say that everything in the remaining 200-plus pages of the regulation flows from this dictum."
Keeping people in control
According to him, this already implies a test or guiding question for content and customer experience (CX) teams: does this message, campaign, form, or suchlike, keep people in control of their data?
Next, he says if businesses embrace this commitment to control, which is obligatory under the GDPR, several types of actions would flow from it. "Intuitively, businesses would do things such as ask for permission to collect people's data, tell them clearly and exhaustively what you're going to do with it, and if you're going to do multiple things with it, state each one clearly.
"In addition, do with it only what you said, unless you get additional permission, and you'd have to give them a way to clearly say yes or no to your requests."
He says businesses would also be obliged to keep the information secure while they have it, and give it back (in other words delete it) as soon as the stated purpose is completed.
"It should come as no surprise that these kinds of behaviours and restrictions are almost precisely the 'core processing principles' spelled out in Article 5 of the GDPR."
Insufficient transparency, specificity
He says Google was found to be in violation of the GDPR on three points that directly relate to these core principles.
"Firstly, insufficient transparency and ease of understanding. In effect, the data authorities found Google failed to explain their proposed processing of data clearly."
Next, there was lack of specificity. Because Google referred to the privacy policy in toto, it was deemed guilty of failing to clearly specify each processing purpose separately.
Finally, the inability to give unambiguous consent. "Google deployed some radio buttons that were pre-ticked for opt-in or consent. They failed to give the user the ability to indicate consent with a 'clear affirmative action', such as clicking on a non-pre-ticked button.
"There is nothing surprising about these findings against Google. Even without mastering the GDPR in detail, one can easily see their actions clearly failed to maintain people in control of their data. Obviously, content and CX teams now need to be thoroughly trained in all appropriate aspects of the GDPR."