Privacy expert weighs in on data consent as Google appeals its historic GDPR fine

Marketers need to take data protection laws and regulations seriously, says lawyer and chief privacy officer of Truata, who argues current general consent solutions are inadequate

As Google appeals its 50 million Euro GDPR breach fine, a privacy expert warns Australians dealing with data that a pre-ticked box for general consent will no longer cut it.

Chief privacy officer and lawyer at Trūata, Aoife Sexton, said the fine imposed by the National Data Protection Commission (CNIL) was important because the actual violation that attracted the fine was not some obscure point of law. Trūata is a Dublin-based company, whose founding partners are IBM and MasterCard, and was set up last year to provide data anonymisation services for General Data Protection Regulation (GDPR) compliance.

“This decision centres on some of the core principles of the GDPR, which form the foundations of the GDPR, the interpretation and application of which concern all companies who process personal data,” Sexton told CMO

“We can get insight from this decision on the approach that regulators are going to take on enforcement and also on their strict interpretation of the GDPR core principles. We also can learn where they will set the thresholds for compliance with these core principles.” 

Sexton told CMO the French regulator’s decision centres around a violation of the GDPR obligations in a number of areas, including transparency of information, and consent not being validly obtained. 

“Information should not be spread across lots of documents and not easily accessible by users. Companies should not cause a user to have to take five or six steps to figure out the full picture about the use of their data,” she explained. “Companies should not describe what they do with user’s data in generic and vague manner. They also need to be very clear on which legal basis they are opting to rely on for each act of processing. 

“Consent was not being validly obtained for ads personalisation, for two reasons: The first reason was a user was not sufficiently informed so that it could give proper consent. The information given to users was spread across several documents. This made it difficult for users to get a clear picture on the extent and scale of the processing and which of the multiple Google services, websites and applications would be in play. What this meant was that users would struggle to understand the sheer amount of data that Google would process and combine."

The second reason was the consent from the user was neither 'unambiguous' nor 'specific'.

"In the case of unambiguous, the GDPR specifies that to satisfy the threshold for “unambiguous” consent, a clear affirmative action is needed from the user, for example by ticking a non-pre-ticked box for instance - no pre-ticked boxes allowed. In the case of Google, CNIL found that a pre-ticked box was used," Sexton continued. 

“In the case of specific consent, the GDPR specifies the consent is 'specific' only if it is given distinctly for each purpose. Companies cannot merely try to rely on a blanket 'I accept' to that company’s Privacy Policy as indicating user consent for all of its different services. CNIL ruled that this approach would fall short of GDPR compliance.”

Sexton added Google’s fine is the first big fine under the GDPR, and shows regulators are willing to use fines as one of the methods of enforcement.

“This decision actually cuts across all industries and all sectors not just ad tech or marketing. It goes to the heart of some of the core GDPR principles and where the thresholds for compliance have been set," she said. 

“It shows regulators are serious about enforcing these thresholds and they are willing to levy significant fines against those who fall short in meeting them. They are also not going to give companies a pass because companies self-declare they are compliant, or say they received some form of user consent.” 

The GDPR does present acute challenges for those operating in the global adtech space because the ecosystem is complex and the scale of the data sharing in that ecosystem makes it difficult to clearly explain to users what happens to their data. Similarly, it makes obtaining valid user consent challenging. 

For Sexton, the heart of the ruling against Google is how companies treat users and how they explain transparently what they are doing with their user’s data.

"In the case where they are relying on consent, if in fact they have obtained valid consent. The decision is less about what data companies should or should not use,” she said. “For most companies doing data analytics, the CNIL decision is a wake-up call for them to take stock and meaningfully challenge themselves about how they currently provide information and obtain consent from users, and whether their practices will fall short of the thresholds. 

“Such companies should take this opportunity to ask themselves some hard questions, such as ‘is there a better way for us to perform analytics?’, “what if we did not conduct analytics on any personal data but instead conducted analytics on non personal data?’ and ‘What if we could avoid sacrificing utility in so doing?” 

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+: google.com/+CmoAu   

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Blog Posts

Why are we dubious about deep learning?

The prospect of deep learning gives those of us in the industry something to get really excited about, and something to be nervous about, at the same time.

Katja Forbes

Founder and chief, sfyte

Why you can’t afford to fail at CX in 2019

In 1976 Apple launched. The business would go on to change the game, setting the bar for customer experience (CX). Seamless customer experience and intuitive designs gave customers exactly what they wanted, making other service experiences pale in comparison.

Damian Kernahan

Founder and CEO, Proto Partners

Natural born leaders

Many business and marketing managers progressing to leadership positions face evolving their focus from operational matters to strategic decision making and planning.

Jean-Luc Ambrosi

Author, marketer

Interesting article but what about the employees? There needs to be access to quick cash for everyone involved lest we have yet another '...

Joel Pencer

Suncorp outlines customer investments, digitisation as key to business improvement

Read more

Just printed out this Brad Howarth screed to read tomorrow. I need a good laugh once in a while. Or maybe shed some manly-man tears at th...

Larry A Singleton

What a diversity agenda has done for Kellogg's staff and innovation engagement

Read more

Morons. PC Nazis infiltrating and subverting every level in our lives.These scum have destroyed our education system.Read FrontPage Magaz...

Larry A Singleton

What a diversity agenda has done for Kellogg's staff and innovation engagement

Read more

It is an accepted fact that in the present times the mass makes use of digital marketing more often and are more and more enlightened wit...

Digital Marketing Course in Ja

Why RMIT is partnering with Adobe for digital marketing learning

Read more

If men were really the dominating brutes that feminist make them out to be ,then women really would be second class citizens. Without th...

aaron

Analysis: Gillette's latest ad only proves why brands standing for positive change is vital

Read more

Latest Podcast

More podcasts

Sign in