Privacy expert weighs in on data consent as Google appeals its historic GDPR fine

Marketers need to take data protection laws and regulations seriously, says lawyer and chief privacy officer of Truata, who argues current general consent solutions are inadequate

As Google appeals its 50 million Euro GDPR breach fine, a privacy expert warns Australians dealing with data that a pre-ticked box for general consent will no longer cut it.

Chief privacy officer and lawyer at Trūata, Aoife Sexton, said the fine imposed by the National Data Protection Commission (CNIL) was important because the actual violation that attracted the fine was not some obscure point of law. Trūata is a Dublin-based company, whose founding partners are IBM and MasterCard, and was set up last year to provide data anonymisation services for General Data Protection Regulation (GDPR) compliance.

“This decision centres on some of the core principles of the GDPR, which form the foundations of the GDPR, the interpretation and application of which concern all companies who process personal data,” Sexton told CMO

“We can get insight from this decision on the approach that regulators are going to take on enforcement and also on their strict interpretation of the GDPR core principles. We also can learn where they will set the thresholds for compliance with these core principles.” 

Sexton told CMO the French regulator’s decision centres around a violation of the GDPR obligations in a number of areas, including transparency of information, and consent not being validly obtained. 

“Information should not be spread across lots of documents and not easily accessible by users. Companies should not cause a user to have to take five or six steps to figure out the full picture about the use of their data,” she explained. “Companies should not describe what they do with user’s data in generic and vague manner. They also need to be very clear on which legal basis they are opting to rely on for each act of processing. 

“Consent was not being validly obtained for ads personalisation, for two reasons: The first reason was a user was not sufficiently informed so that it could give proper consent. The information given to users was spread across several documents. This made it difficult for users to get a clear picture on the extent and scale of the processing and which of the multiple Google services, websites and applications would be in play. What this meant was that users would struggle to understand the sheer amount of data that Google would process and combine."

The second reason was the consent from the user was neither 'unambiguous' nor 'specific'.

"In the case of unambiguous, the GDPR specifies that to satisfy the threshold for “unambiguous” consent, a clear affirmative action is needed from the user, for example by ticking a non-pre-ticked box for instance - no pre-ticked boxes allowed. In the case of Google, CNIL found that a pre-ticked box was used," Sexton continued. 

“In the case of specific consent, the GDPR specifies the consent is 'specific' only if it is given distinctly for each purpose. Companies cannot merely try to rely on a blanket 'I accept' to that company’s Privacy Policy as indicating user consent for all of its different services. CNIL ruled that this approach would fall short of GDPR compliance.”

Sexton added Google’s fine is the first big fine under the GDPR, and shows regulators are willing to use fines as one of the methods of enforcement.

“This decision actually cuts across all industries and all sectors not just ad tech or marketing. It goes to the heart of some of the core GDPR principles and where the thresholds for compliance have been set," she said. 

“It shows regulators are serious about enforcing these thresholds and they are willing to levy significant fines against those who fall short in meeting them. They are also not going to give companies a pass because companies self-declare they are compliant, or say they received some form of user consent.” 

The GDPR does present acute challenges for those operating in the global adtech space because the ecosystem is complex and the scale of the data sharing in that ecosystem makes it difficult to clearly explain to users what happens to their data. Similarly, it makes obtaining valid user consent challenging. 

For Sexton, the heart of the ruling against Google is how companies treat users and how they explain transparently what they are doing with their user’s data.

"In the case where they are relying on consent, if in fact they have obtained valid consent. The decision is less about what data companies should or should not use,” she said. “For most companies doing data analytics, the CNIL decision is a wake-up call for them to take stock and meaningfully challenge themselves about how they currently provide information and obtain consent from users, and whether their practices will fall short of the thresholds. 

“Such companies should take this opportunity to ask themselves some hard questions, such as ‘is there a better way for us to perform analytics?’, “what if we did not conduct analytics on any personal data but instead conducted analytics on non personal data?’ and ‘What if we could avoid sacrificing utility in so doing?” 

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+: google.com/+CmoAu   

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Blog Posts

How to create profitable pricing

How do we price goods and services? As business leaders, we have asked ourselves this question since the history of trading.

Lee Naylor

Managing partner, The Leading Edge

Sport and sponsorship: The value of event sponsorship

Australia’s cricketers captured the nation’s attention during their recent run to the semi-final of the ICC Men’s World Cup. While the tournament ultimately ended in defeat, for over a month it provoked a sense of belonging, hope and empowerment for millions of people across Australia. Cricket, and sport in general, has a near-unique ability to empower individuals, irrelevant of their background, demographic or nationality.

Nikhil Arora

Vice-president and managing director, GoDaddy India

AI ethics: Designing for trust

As artificial intelligence (AI) becomes much more prevalent and increasingly a way of life, more questions are being asked than answered about the ethical implications of its adoption.

Katja Forbes

Founder and chief, sfyte

I live the best deals at LA Police Gear.

Tyrus Rechs

6 Ways to ramp up Social Media to Your Web Design

Read more

Its absolute over priced acquisition. The CEO, must be fired for this all cash transaction. Absolutely no justification for prospective P...

about_face

Analysts question long-term play of SAP's acquisition of Qualtrics

Read more

Very well written Nikhil! Indeed this is a big ticket investment, but the impact on brand, sales and employee motivation should make it w...

Yugal Sachdeva

Sport and sponsorship: The value of event sponsorship

Read more

As someone with both experience in marketing and working with UiPath both, I can say that I cannot wait to see more marketing processes u...

CiGen RPA

What robotic process automation can do for marketers

Read more

10 Business applications of virtual reality (VR) technologyhttps://www.sendiancreation...virtual reality

sendian creations

The new wave of VR applications

Read more

Latest Podcast

More podcasts

Sign in