French regulators have fined Google nearly $57 million for violations of the General Data Protection Regulation (GDPR). This fine was the first major penalty levied against a large U.S. technology company since the regulation took effect in May 2018.

France’s data protection authority, known as the CNIL, said that Google failed to fully disclose to users how their personal information is collected and what happens to it. Significantly, regulators said that Google also did not properly obtain users’ consent to use the data to serve them personalized advertisements.

The CNIL said in a statement that the violations “deprive the users of essentially guarantees regarding processing operations that can reveal important parts of their private life. . .” Google said that is reviewing the CNIL’s decision and determining next steps.

The GDPR’s privacy rules have established a global standard for privacy protection that has required companies to significantly reassess and change their data-collection and governance practices or risk incurring serious fines. Under the GDPR, companies must give users a full, clear picture of the data they collect, and workable tools to consent to processing of their personal information. In both instances, French authorities said that Google had failed to comply with requirements.

The decision comes at the end of an investigation French regulators began May 25, 2018 – the day the GDPR came into effect – in response to concerns raised by privacy advocates. In addition to the complaint against Google brought in France, advocates lodged complaints against Facebook and its subsidiaries – Instagram and WhatsApp — in other EU countries.

It’s important to keep in mind that while these complaints were brought against tech giants, the GDPR requirements they highlight must be met by all companies that collect data about EU residents. Regulators have voiced their concerns that small and medium sized companies also comply and have engaged in awareness campaigns to remind these organizations of their responsibilities under the new regulation.

Getting notice and consent right is part of a broader set of GDPR obligations that require companies establish privacy policies and practices that protect individuals and promote the responsible use of data. Companies that collect data from EU residents would do well to take steps now to meet the requirements of this new law, as the Google decision is only the first of what will be many actions to ensure companies take the GDPR seriously.

Editorial credit: achinthamb / Shutterstock.com

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.