French regulators fined Google €50 million (equivalent to $57 million) on Monday for violating European Union privacy law. That’s not much considering Google’s parent company Alphabet reported $33.7 billion in revenue in its most recently reported quarter. But much like the EU’s $2.7 billion fine against Google for antitrust in 2017, a record at the time, the fine may be less important than the potential changes to Google’s business model that might follow.
The fine is the first of potentially many actions against US tech giants for violations of the EU’s sweeping General Data Protection Regulation, which took effect in May 2018. Privacy advocates have lodged complaints against several other companies, ranging from Amazon and Netflix to credit reporting companies like Equifax and Experian. Depending on how EU regulators rule, companies large and small may be forced to change the way they collect and store personal information online. Meanwhile, similar laws in California and Washington state, along with proposed legislation in New Jersey and other states, could force companies to rethink data privacy in the US as well.
The French data privacy authority CNIL ruled that Google violated GDPR because the company hadn’t properly gained consent from users to use their data to personalize advertising. Google allows users to opt out of ad personalization, and users must choose to do so. CNIL also ruled that the company makes it too hard for users to find out how their personal information is used and how long that information is stored.
Google hasn’t announced whether it will appeal the fine. “People expect high standards of transparency and control from us,” a Google spokesperson said in a statement. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
If Google doesn’t appeal, or if it loses the appeal, the company will need to either switch from an opt-out to an opt-in model for ad personalization, or find a legal justification for using personal data without explicit consent.
CNIL launched an investigation into Google last year after receiving complaints from the French advocacy group La Quadrature du Net and the Austrian group NOYB (short for “none of your business”).
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” NOYB founder Max Schrems said in a statement. He added that Google and other large tech companies have “often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
But there’s still disagreement over what GDPR requires. “There’s still a lot of gray,” according to Brian Kane, a former Google executive and cofounder of Sourcepoint, a company that makes software that helps companies comply with GDPR.
For example, the GDPR outlines the circumstances under which companies are allowed to use—or “process”—personal information. The law emphasizes obtaining explicit consent from users, but it outlines some circumstances under which consent isn’t necessary, such as when a company must gather data to comply with another law, or when it’s necessary for a company’s “legitimate interests.”
That’s led to some uncertainty about when companies actually need consent. This week’s Google fine doesn’t clear that up, because the company claimed it had user consent, not that it had legitimate interests.
But there are plenty of other cases to clarify GDPR. Last week, NOYB filed another complaint against Google, along with seven other technology companies, including Amazon, Apple, Netflix, and Spotify, over the way their streaming services respond to users’ requests for their own data. Last year, the group Privacy International filed complaints against seven ad-tech, data brokering, and credit monitoring firms, including Equifax, Experian, Oracle, and Quantcast. The complaints brought by Privacy International challenge the use of “legitimate interest” as a legal justification for collecting data.