The National Data Protection Commission said it fined the U.S. internet giant for "lack of transparency, inadequate information and lack of valid consent" regarding ad personalization for users. It's one of the biggest regulatory enforcement actions since the European Union's General Data Protection Regulation, or GDPR, came into force in May. The rules are aimed at clarifying individual rights to personal data collected by companies, which are required to use plain language to explain what they're doing with it.
Even though many tech multinationals like Google are headquartered in the U.S., they still have to comply with the new rules because they have millions of users in Europe. The commission said Google users were "not sufficiently informed" about what they were agreeing to as the company collected data for targeted advertisements.
Users have to take too many steps, "sometimes up to 5 or 6 actions," to find out how and why their data is being used, the commission said. Google's description of why it's processing their data is "described in a too generic and vague manner," it added.
The company's infringements "deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life," the commission said . The commission acted on complaints by two data protection advocacy groups, NOYB.EU and La Quadrature du Net, filed immediately after GDPR took effect.
Google said in a statement it is "deeply committed" to transparency and user control as well as GDPR consent requirements. "We're studying the decision to determine our next steps," it said.