Privacy expert weighs in on data consent as Google appeals its historic GDPR fine

Marketers need to take data protection laws and regulations seriously, says lawyer and chief privacy officer of Truata, who argues current general consent solutions are inadequate

As Google appeals its 50 million Euro GDPR breach fine, a privacy expert warns Australians dealing with data that a pre-ticked box for general consent will no longer cut it.

Chief privacy officer and lawyer at Trūata, Aoife Sexton, said the fine imposed by the National Data Protection Commission (CNIL) was important because the actual violation that attracted the fine was not some obscure point of law. Trūata is a Dublin-based company, whose founding partners are IBM and MasterCard, and was set up last year to provide data anonymisation services for General Data Protection Regulation (GDPR) compliance.

“This decision centres on some of the core principles of the GDPR, which form the foundations of the GDPR, the interpretation and application of which concern all companies who process personal data,” Sexton told CMO

“We can get insight from this decision on the approach that regulators are going to take on enforcement and also on their strict interpretation of the GDPR core principles. We also can learn where they will set the thresholds for compliance with these core principles.” 

Sexton told CMO the French regulator’s decision centres around a violation of the GDPR obligations in a number of areas, including transparency of information, and consent not being validly obtained. 

“Information should not be spread across lots of documents and not easily accessible by users. Companies should not cause a user to have to take five or six steps to figure out the full picture about the use of their data,” she explained. “Companies should not describe what they do with user’s data in generic and vague manner. They also need to be very clear on which legal basis they are opting to rely on for each act of processing. 

“Consent was not being validly obtained for ads personalisation, for two reasons: The first reason was a user was not sufficiently informed so that it could give proper consent. The information given to users was spread across several documents. This made it difficult for users to get a clear picture on the extent and scale of the processing and which of the multiple Google services, websites and applications would be in play. What this meant was that users would struggle to understand the sheer amount of data that Google would process and combine."

The second reason was the consent from the user was neither 'unambiguous' nor 'specific'.

"In the case of unambiguous, the GDPR specifies that to satisfy the threshold for “unambiguous” consent, a clear affirmative action is needed from the user, for example by ticking a non-pre-ticked box for instance - no pre-ticked boxes allowed. In the case of Google, CNIL found that a pre-ticked box was used," Sexton continued. 

“In the case of specific consent, the GDPR specifies the consent is 'specific' only if it is given distinctly for each purpose. Companies cannot merely try to rely on a blanket 'I accept' to that company’s Privacy Policy as indicating user consent for all of its different services. CNIL ruled that this approach would fall short of GDPR compliance.”

Sexton added Google’s fine is the first big fine under the GDPR, and shows regulators are willing to use fines as one of the methods of enforcement.

“This decision actually cuts across all industries and all sectors not just ad tech or marketing. It goes to the heart of some of the core GDPR principles and where the thresholds for compliance have been set," she said. 

“It shows regulators are serious about enforcing these thresholds and they are willing to levy significant fines against those who fall short in meeting them. They are also not going to give companies a pass because companies self-declare they are compliant, or say they received some form of user consent.” 

The GDPR does present acute challenges for those operating in the global adtech space because the ecosystem is complex and the scale of the data sharing in that ecosystem makes it difficult to clearly explain to users what happens to their data. Similarly, it makes obtaining valid user consent challenging. 

For Sexton, the heart of the ruling against Google is how companies treat users and how they explain transparently what they are doing with their user’s data.

"In the case where they are relying on consent, if in fact they have obtained valid consent. The decision is less about what data companies should or should not use,” she said. “For most companies doing data analytics, the CNIL decision is a wake-up call for them to take stock and meaningfully challenge themselves about how they currently provide information and obtain consent from users, and whether their practices will fall short of the thresholds. 

“Such companies should take this opportunity to ask themselves some hard questions, such as ‘is there a better way for us to perform analytics?’, “what if we did not conduct analytics on any personal data but instead conducted analytics on non personal data?’ and ‘What if we could avoid sacrificing utility in so doing?” 

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+: google.com/+CmoAu   

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Blog Posts

Taking performance cues from east Asian markets

As the ‘Asian century’ becomes ever more prevalent and the Fourth Industrial Revolution gathers speed, marketers are having to surf a tidal wave of creative destruction. The choice is stark: Embrace change, or resign yourself to a Darwinian fate.

Dr Chris Baumann

Associate professor, Macquarie University

Searching for social and marketing data

Many marketers, agencies - and everyone in between - get caught up on bubble references and data points. They’ll use Facebook best practice as the only best practice for Facebook executions and only consider metrics and responses of the one channel they’re expected to deliver on.

Isaac Lai

Connections strategy lead, VMLY&R Sydney

Why Australia needs more leaders

A few weeks ago, our Prime Minister, Scott Morrison took it upon himself to tell companies and their CEOs where to go when it came to societal issues. It wasn’t an organisation’s place to get involved. Instead, he said it should be left to governments to solve societies challenges.

Dan Banyard

Managing director, Edentify

Congratulations! So good to see a business turnaround with a good omni channel email lead strategy.Antanthonyidle.com

Anthony Idle

How Total Tools overhauled its omnichannel marketing

Read more

Well, you can always improve your service. Your customers will appreciate your efforts.

Mike Thompson

Report: Australian customer experience good but not great

Read more

Thanks for sharing! Terracotta Jewellery Online Shopping Ethnic Jewellery Online Shopping

Cotton Sarees Online

How data is driving the customers of a lifetime for BaubleBar

Read more

Informative blog. Xero is a well-known revolutionized accounting software, specifically developed to provide best User Experience and mak...

NavkarConsultancyServices

Xero evolves to fit a changing marketplace

Read more

>Writes article about how to show diversity in an authentic way>All featured opinions are from white women

Jennifer Metcalfe

Food for Thought: How can brands show diversity in an authentic way?

Read more

Latest Podcast

More podcasts

Sign in