The curious case of consent: Google fined 50 million Euro for breaching the GDPR

The complaints concerned Google’s consent practices when users create a Google account. When creating an account, users are required to agree to Google’s terms of use, privacy policy and data collection process by scrolling through the page using the ‘’more’’ button. By doing this, users are deemed to have given the necessary consent to Google for the collection of their personal data and to receive personalised advertisements.

The CNIL held that, by requiring users to do this, Google failed to comply with two provisions of the GDPR. Firstly, it failed to provide transparent and easily accessible information to users relating to its data consent policies, particularly how personal data is used with regard to personalised advertisements. Secondly, it did not obtain sufficient and specific consent from users for personalised advertisements across its services.

What should be made clear is that the terms of use and privacy policy information are available, however, neither are easily accessible. Users have to scroll through various settings and options to access this information. In addition, it is not that users do not consent to Google’s policies, but rather that users’ consent is not fully informed. Users therefore do not fully understand the extent to which their personal data will be used for personalised advertisements across all Google’s services. The CNIL held that the consents collected by Google are ambiguous and not specific to each of its various services, which are offered across many different platforms and devices. Further, the option for personalised advertisements is already pre-ticked when users accept Google’s data policies. Unless users know that the option of personalised advertisements is already pre-ticked and can navigate their way to the options and settings, they cannot turn it off.

Article 4(11) of the GDPR outlines the criteria for consent as follows:

[C]onsent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’’

In Google’s case, users are requested to consent to a wide range of services with a single action and therefore the consent requested is not specific. To comply with the GDPR, Google must require consent for each of its services. Furthermore, Google’s data collection process needs to be clear and easy to understand, particularly as it can reveal significant aspects of a user’s private life.

The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action, prohibiting the use of pre-ticked and opt-in boxes. Therefore, Google must update its consent gathering mechanisms by offering unticked boxes to allow users the option to consent to a specific service.

It is interesting to note that Google has announced that it is appealing the CNIL’s decision, which should provide further clarity on how the GDPR must be applied in practical situations. Irrespective of the outcome of the appeal, this case serves as a clear indication to all companies to comply with the provisions of the GDPR whether they consent to them or not.