It’s tempting to think of Google’s recent GDPR penalty as a first. The $56 million judgement is the biggest GDPR fine to be issued by a European regulator, and the first time a tech giant has been found to be in non-compliance of the regulation.
But a different story emerges after looking more closely at the EU’s regulatory activity since GDPR enforcement began in May 2018. The Google penalty isn’t the start of something new; on the contrary, it’s the latest development in the EU’s pursuit to make businesses more transparent about data collection and processing.
This wider view also shows a clear trend: Regulators are primarily targeting a company’s consent data collection and management practice in their investigations.
What does this mean for your business? More than ever, consent data management is the front line for your GDPR risk exposure and your reputation as a transparent, trusted business.
Transparency: The heart of the Google penalty
When CNIL, the data protection authority in France, announced Google’s penalty, regulators described two main violations. In both instances, the company’s efforts to be transparent about its collection and processing of personal data were deemed to be flawed.
In the first violation, CNIL said users weren’t able to fully understand the extent of Google’s data processing operations across its ecosystem of products and services. In the second violation, CNIL said Google failed to validly obtain the user’s consent to process data for ads personalization purposes.
The regulators cited two reasons for the ads personalization violation. First, the consent was not sufficiently informed since information was spread across multiple documents and did not enable users to understand the extent of the processing operations. Secondly, they did not find the consent requests to process data for ads personalization to be specific or unambiguous enough to meet GDPR requirements.
CNIL felt these violations were enough to take unprecedented action: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
The first shot across adtech’s bow
Even before the Google penalty, CNIL had been aggressive in pursuing major investigations involving potential GDPR violations around the consent issue. In late October, they issued a decision against Vectaury – a French adtech firm – that is threatening the status quo of the entire adtech industry.
In their investigation, CNIL found that Vectaury, and the consent framework they used, bundled consent for third-party data processing through partner contracts. The governing authority called for a halt to this practice and has required Vectaury to cease data processing as the legal case proceeds.
Privacy activists and adtech firms took immediate notice of the decision. Bundled consent is at the heart of the online ad industry’s real-time bidding (RTB) system. This system, which has displaced traditional models of digital ad selling, is growing at breakneck speed. It’s estimated RTB digital advertising spend will reach $23.5 billion in the United States in 2018 compared to a $6.3 billion spend in 2014.
When viewed in combination with other GDPR-based complaints about the RTB system, it’s clear this pillar of the adtech industry is under regulatory assault. And, as the CNIL decision shows, regulators are willing to shut down a company’s data processing operations if it finds it in violation of GDPR’s consent requirements.
At the source: Consent matters to consumers
It’s important to realize these high-profile investigations and penalties originally started with consumer complaints. EU member states received a total of 42,230 GDPR-related complaints from the time enforcement began until October. Of those, Giovanni Buttarelli, the European Data Protection Supervisor, told TechCrunch that customer consent is the most pressing issue:
“In cases in which it is indispensable to build on consent it should be much more than in the past based on exhaustive information; much more details, written in a comprehensive and simple language, accessible to an average user, and it should be really freely given — so no blackmailing.”
Consent data management strategy is a must
If your company serves customers in Europe, your consent data management strategy needs to be a priority. By developing a vision for capturing consent and preferences holistically across touchpoints, brands, and channels – for every instance when this data needs to be captured according to GDPR requirements – you can drastically mitigate regulatory risk.
In addition, if you develop a reliable system for enforcing a customer’s preference and consent choices to downstream applications and services, your business will avoid a major source of GDPR-based complaints.
Moreover, honoring customers’ preferences and consent choices helps build trust in this new age of consumer privacy and data protection. And this trust is the foundation of today’s meaningful customer relationships. Without trust, customers jump to competitors and brand reputation takes a serious hit, as many businesses who are not managing preferences and consent data according to GDPR standards are about to find out.