Privacy expert weighs in on data consent as Google appeals its historic GDPR fine

Marketers need to take data protection laws and regulations seriously, says lawyer and chief privacy officer of Truata, who argues current general consent solutions are inadequate

As Google appeals its 50 million Euro GDPR breach fine, a privacy expert warns Australians dealing with data that a pre-ticked box for general consent will no longer cut it.

Chief privacy officer and lawyer at Trūata, Aoife Sexton, said the fine imposed by the National Data Protection Commission (CNIL) was important because the actual violation that attracted the fine was not some obscure point of law. Trūata is a Dublin-based company, whose founding partners are IBM and MasterCard, and was set up last year to provide data anonymisation services for General Data Protection Regulation (GDPR) compliance.

“This decision centres on some of the core principles of the GDPR, which form the foundations of the GDPR, the interpretation and application of which concern all companies who process personal data,” Sexton told CMO

“We can get insight from this decision on the approach that regulators are going to take on enforcement and also on their strict interpretation of the GDPR core principles. We also can learn where they will set the thresholds for compliance with these core principles.” 

Sexton told CMO the French regulator’s decision centres around a violation of the GDPR obligations in a number of areas, including transparency of information, and consent not being validly obtained. 

“Information should not be spread across lots of documents and not easily accessible by users. Companies should not cause a user to have to take five or six steps to figure out the full picture about the use of their data,” she explained. “Companies should not describe what they do with user’s data in generic and vague manner. They also need to be very clear on which legal basis they are opting to rely on for each act of processing. 

“Consent was not being validly obtained for ads personalisation, for two reasons: The first reason was a user was not sufficiently informed so that it could give proper consent. The information given to users was spread across several documents. This made it difficult for users to get a clear picture on the extent and scale of the processing and which of the multiple Google services, websites and applications would be in play. What this meant was that users would struggle to understand the sheer amount of data that Google would process and combine."

The second reason was the consent from the user was neither 'unambiguous' nor 'specific'.

"In the case of unambiguous, the GDPR specifies that to satisfy the threshold for “unambiguous” consent, a clear affirmative action is needed from the user, for example by ticking a non-pre-ticked box for instance - no pre-ticked boxes allowed. In the case of Google, CNIL found that a pre-ticked box was used," Sexton continued. 

“In the case of specific consent, the GDPR specifies the consent is 'specific' only if it is given distinctly for each purpose. Companies cannot merely try to rely on a blanket 'I accept' to that company’s Privacy Policy as indicating user consent for all of its different services. CNIL ruled that this approach would fall short of GDPR compliance.”

Sexton added Google’s fine is the first big fine under the GDPR, and shows regulators are willing to use fines as one of the methods of enforcement.

“This decision actually cuts across all industries and all sectors not just ad tech or marketing. It goes to the heart of some of the core GDPR principles and where the thresholds for compliance have been set," she said. 

“It shows regulators are serious about enforcing these thresholds and they are willing to levy significant fines against those who fall short in meeting them. They are also not going to give companies a pass because companies self-declare they are compliant, or say they received some form of user consent.” 

The GDPR does present acute challenges for those operating in the global adtech space because the ecosystem is complex and the scale of the data sharing in that ecosystem makes it difficult to clearly explain to users what happens to their data. Similarly, it makes obtaining valid user consent challenging. 

For Sexton, the heart of the ruling against Google is how companies treat users and how they explain transparently what they are doing with their user’s data.

"In the case where they are relying on consent, if in fact they have obtained valid consent. The decision is less about what data companies should or should not use,” she said. “For most companies doing data analytics, the CNIL decision is a wake-up call for them to take stock and meaningfully challenge themselves about how they currently provide information and obtain consent from users, and whether their practices will fall short of the thresholds. 

“Such companies should take this opportunity to ask themselves some hard questions, such as ‘is there a better way for us to perform analytics?’, “what if we did not conduct analytics on any personal data but instead conducted analytics on non personal data?’ and ‘What if we could avoid sacrificing utility in so doing?” 

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+: google.com/+CmoAu   

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Blog Posts

Why efficiency and effectiveness are opposing forces in a marketing tug of war

I’ve been a long-time fan of renowned effectiveness experts, Peter Field and Les Binet, and their work. But while their approach is clearly important, the marketing leader’s challenge to deliver effectiveness more often lies in organisational structure. I see the bigger question being whether a marketing chief has a seat at the executive table, and the ear and respect of the CEO and company board.

Nickie Scriven

CEO, Zenith

Augmented Reality: What’s behind the marketing industry’s failure of imagination?

Every flagship smartphone in Australia includes hardware and software purpose-built for AR. A huge audience is ready and waiting. We have an opportunity to craft extraordinary, innovative work. But to get there, we need to push our creative thinking a little harder, writes Gil Fewster.

Gil Fewster

Creative technologist, The Royals

Does your brand need a personality review?

There are five tell-tale signs your brand needs to take a long hard look at itself.

Charlie Rose

Senior Strategy Consultant, Principals

great case study, content has always proved to be an integral part of making a brand, now social media marketing is also one tool that ca...

Govind Dadhich

How a brand facelift and content strategy turned real estate software, Rockend, around

Read more

Why it's important for me to know that? I don't get it, sorry.

James Fogle

7 things you need to know about Facebook's mood experiment

Read more

Info graphic have proven to be very useful to create brand awareness and drive traffic. Thanks for sharing these Information.Graphic Desi...

Govind Dadhich

Image intelligence:10 must-see infographics for marketers

Read more

Best web hosting packages Vancouver WA understands that only technical support and domain associated email address can bring huge leads ...

Radiata Solutions

6 Ways to ramp up Social Media to Your Web Design

Read more

I had the same vision about change from CX terminology to HX. Even with almost the same title: 'Forget customer experience...' https://ww...

Ekaterina Khramkova

Forget customer experience, human experience is marketing's next frontier

Read more

Latest Podcast

More podcasts

Sign in