The European Union's GDPR is relatively young, but Google is already in hot water over claimed violations. France's CNIL regulator has fined Google €50 million (about $57 million) for allegedly failing to provide transparent, "easily accessible" data consent policies. Google reportedly made it hard to learn about and control how it used personal data, including for targeted ads. It can sometimes take "5 or 6 actions" before you know what Google is doing, CNIL said, and the company spread ad targeting information across "several documents."
The fine stems from digital advocacy group complaints that followed shortly after GDPR took effect in May 2018. CNIL argued the size of the fine was valid as this was not only a basic violation of GDPR's "essential principles," but an ongoing violation rather than a one-time fault.
In response, a Google spokeperson told The Local that the firm was "deeply committed" to transparency and control, and was "studying the decision" to determine what it would do next. However, it doesn't exactly have many options. If it can't convince regulators that its existing consent systems are reasonable, it will likely have to make significant reforms.