In early 2018, the European Union announced that GDPR or General Data Protection Regulation would take effect on May 25th and organizations were expected to compliant.
Within these regulations, heftier fines were introduced to discourage organizations from using personal data without consent. It was reported that fines could range from 10 million euros to 4% of the company’s global revenue.
Despite these bold fines, it was uncertain how or when such fines would begin appearing. Some predictions were immediate and some predicted early 2019, and well, it has begun.
On January 21st, 2019 CNIL, France’s National Data Protection Commission, announced a $57 million penalty on Google for violation of GDPR compliance.
How Did We Get Here?
To be fair, the announcement of Google’s penalty was not the first for the CNIL and other data protection agencies.
There have been at least two additional known fines imposed for GDPR infringement in the amount of $22,766.30 to a German social network operator and $6,010.30 to an Austrian LLC.
The significance of Google’s fine is really in the length of time from initiation of the investigation to the fine announcement.
CNIL reported that the investigation on Google was initiated on June 1st, 2018 following the submission of two complaints and penalties were not publicly announced until now. Nearly 8 months after the investigation started.
This length of investigation indicates that there will likely be more coming based on this list issued only one month after GDPR took effect.
While the two smaller fines were imposed due to the lack of encryption of users passwords and image processes violations, respectively, Google’s fines were a result of a lack of consent from users to collect their data and use for purposes such as ad targeting.
As Johnny Ryan, the chief policy and industry relations officer at the web browser Brave states in the New York Times announcement, “But CNIL’s decision is very significant because it means that Google must stop building advertising profiles about people until it has properly told them what it is doing and received their consent.”
Why Does it Matter to Marketers?
This recent announcement can be taken in two ways.
The first being that Google is a massive, very public organization that collected an unfathomable amount to data every day so naturally, the company would be targeted for fines such as this.
Perhaps, this is true, however, the additional fined companies were not.
This is a clear indication that CNIL and other data regulation organizations are working to take on any organization large or small.
The second is concern over the regulations moving beyond the EU and into the United States were organizations that have largely ignored the GDPR news highlights would now have to speed up to comply and/or be subject to much more scrutiny.
Not only will organizations need to scramble, but this could also entirely change the digital media advertising industry.
Simply put, businesses big and small are at risk of being fined in the name of GDPR, so if you haven’t taken action yet, you need to.
What Do I Need To Do To Avoid Being Fined?
If you are collecting data through your website, start adding consent notifications such as cookies or a checkbox at the bottom of your form.
Be sure to include proper text to indicate how the users' data will be used.