Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

CNIL fines Google LLC EUR 50 million - Focus on: GDPR transparency and consent for ad personalisation

25 Jan 2019 United Kingdom 6 min read

The French data protection regulator has slapped Google LLC with a EUR50 million financial penalty under the GDPR. The fine relates to Google LLC’s alleged failure to provide users of its services with adequate and transparent information about how their personal data is used for ad personalisation within its Android operating system and failing to obtain their valid consent to this.

We examine the jurisdictional and fines aspects in our Law-Now: CNIL fines Google LLC EUR50 million – Focus on: Jurisdiction and fines under GDPR.

This sends a strong message to technology and AdTech companies that they will need to raise the bar on transparency and give individuals greater choice about what happens to their data.

Who made the complaints and what were they about?

Within days of the GDPR applying on 25 May 2018, the Commission Nationale de l'Informatique et des Libertés (the “CNIL”) received group complaints from two consumer / privacy associations, None Of Your Business ((nyob) fronted by Austrian privacy activist Max Schrems), and La Quadrature du Net ((LQDN) backed by 10,000 people to make the complaint).

The complaints alleged that Google LLC (“Google”) did not:

  • meet the requirements of the GDPR regarding information and transparency; or
  • have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.
What did the CNIL find?

The GDPR requires certain minimum information to be provided to individuals about processing of their data. This is typically provided for in the form of a privacy notice.

The CNIL found that the privacy information provided by Google for the relevant services was:

  • not easily accessible – the information was structured in an overly complex way across multiple documents, using excessive buttons and links and requiring too many clicks for users to access essential information
  • not always comprehensive or clear, and
  • not sufficient in explaining the extent of processing operations carried out by Google, which “are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined”.

The CNIL raised particular concerns that:

  • the description of the purposes of processing and categories of data processed for these various purposes was too generic and vague
  • the information communicated was not sufficiently clear for users to understand that the legal basis for ad personalisation is user consent (and not Google’s legitimate interest), and
  • incomplete information was provided about retention periods.

The GDPR requires data processing to fall within certain specified legal bases, with those most relevant for marketing purposes being “consent” and “legitimate interests”. Google said it relied on consent for ad personalisation services but the CNIL found that consent was not validly obtained as the users’ consent was not:

  • sufficiently informed – this was due to the deficiencies in transparency and information provided, especially as users could not possibly be aware of: “the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined”

In other words, it is much broader than just consent to ad personalisation related to the user’s Android device

  • “specific” and “unambiguous” – this was because: modification options were hidden behind a “More options” button and the display of the ads personalisation was pre-ticked, and before creating an account the user is required to agree to Google’s terms of service and the processing of their information for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc.), rather than splitting out consent for each specific purpose.
What does the decision mean for technology and AdTech companies, and consumers?
  • Companies will need to find innovative ways to provide a complete picture of their complex personal data processing operations and with minimal clicks. Key information about purposes of processing and categories of data processed, legal bases relied on and retention periods must be set out clearly front and centre.
  • Generic or vague descriptions will not cut it.
  • The extent of processing (including how an intricate network of services fit together from a data perspective) must be readily apparent.
  • Companies will need clarity on the legal basis they are relying on to process personal data. The threshold for valid consent is a high one – for consent to be “unambiguous” it requires a clear affirmative action from the user (by ticking a non-pre-ticked box, for instance).
  • “All or nothing” consent as a condition of signing up to services will need to change to be more granular and service-specific. The benefit for consumers should be a greater level of awareness about what happens with their information and more options to only sign up to those uses that they are comfortable with. However, this could also mean lengthier consent forms, with more boxes to tick.
What happens next?

This has been described by the CNIL as an ongoing and repeated breach of the GDPR, meaning that Google could face further enforcement action unless it either brings its practices into line or launches an appeal. Google has announced that it will be appealing the decision.

More insights
Cyber TMT - Technology, Media & Telecommunications Advertising, Marketing & Sponsorship Data Protection & Freedom of Information Media Dispute Resolution Technology Scotland

Explore more

Event United Kingdom

IP Insights webinar series 2026

03 Jun 2026
Publication United Kingdom

The Cyber Continuum: Ready, Resilient, Recovered

01 Jun 2026 1 min read
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

40 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.