French regulators fined Google a record €50 million, or around $56.8 million for its failure to comply with Europe's new data privacy rules.
Google Penalized For Violating GDPR In France
France's data privacy agency CNIL said in a statement released on Monday the search engine company did not fully disclose to its users how their personal information is collected and what happens to these data.
The watchdog agency also said Google failed to properly obtain consent from the users to show them personalized ads, and the tech company has not rectified these violations.
The General Data Protection Regulation (GDPR) requires companies to give users a full and clear picture of the data they collect. They should also provide simple tools for users to consent to have their personal information used.
The CNIL said Google made it difficult for users to find essential information, such as the purposes of data processing, storage periods of the data, and the categories of data used for personalized ads.
The watchdog said Google did so by splitting these information across multiple help pages, documents, and settings screens.
Because of this lack of clarity, users were essentially unable to exercise their right to opt out of data processing for ad personalization.
Even when user consent was collected, CNIL said Google still failed to meet the GDPR standards that this consent is "specific" and "unambiguous".
Biggest GDPR Fine To Date
This is not the first time a GDPR fine has been issued. Last year, a hospital in Portugal was also slapped with a €400,000 ($454,338) fine after it emerged staffs were using bogus accounts to access patient records. A German social media company was also fined €20,000 ($22,716) last year for storing users' social media passwords in plain text.
Google's penalty, however, is the biggest GDPR fine issued and the first time a U.S. technology company has been found to violate the regulations that took effect in May last year.
"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," CNIL said in a statement.