Fine against Google

Learnings for privacy notices and consent

Triggered by complaints from activist Max Schrems (None Of Your Business) and the La Quadrature du Net association, the French data protection authority CNIL conducted an Investigation against Google and pronounced a heavy fine. The CNIL's decision provides valuable information on how to place privacy notices correctly or incorrectly.


Privacy notices must be easily accessible. CNIL criticised that the information (editing purposes, storage time, categories of data being edited) was scattered across several linked documents. It took five to six clicks to view all information, e.g. if the user wants to know how Google deals with geolocation data. Therefore, we recommend a privacy statement (long form) in one (1) document.

Privacy notices must be understandable and specific. The user must be able to understand the scope of the processing. Google has been accused of providing too general and inaccurate information about processing purposes and data processed per purpose. In practice, we see that the Controllers often do not explain clearly and detailed enough how users' data are processed.

Privacy statements must be complete. Google forgot to specify the retention period. We therefore recommend that you use as a basis templates recommended by data protection authorities (even if they are rather lengthy).

The reason for the processing must be clear. When Google personalised its advertising, it was not sufficiently clear that it was based on the user's consent and not on a legitimate interest.

The consequence of the inadequate data protection information was that no effective consent was given and processing was therefore not lawfull. Where processing is based on consent, the user must be adequately informed. The information is insufficient if the description is scattered in different documents.

The decision also contains valuable information about the conditions for consent. The authority complained that the consent was not sufficiently "spécifique" (specific) and unambiguous, because the options for opening a user account were only displayed after a user action. The options were pre-ticked, and because the user could only consent "en bloc" instead of separate ticks per processing. We therefore recommend that one (1) field be provided for each of the options so that the user has the choice to click or not to click (no forward ticking).


- Decision CNIL of 21 January 2019 (

- Press release CNIL (


February 2019 | Author: Dr. Martin Eckert

Your team


In need of legal, tax or compliance advice? We look forward to contacting you.