First GDPR Fine for Google From the French Data Protection Watchdog

(, 21/01/2019) reports:

The CNIL,  the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process. […]


The CNIL […] concluded that Google fails to comply with the GDPR when it comes to transparency and consent. […]


“Essential information […] are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator writes. […]


Second, Google’s consent flow […]. By default, Google really pushes you to sign in or sign up to a Google account. The company tells you that your experience will be worse if you don’t have a Google account.


According to the CNIL, Google should separate the action of creating an account from the action of setting up a device […]


If you choose to sign up to an account, when the company asks you to tick or untick some settings, Google doesn’t explain what it means. For instance, when Google asks you if you want personalized ads, the company doesn’t tell you that it is talking about many different services, from YouTube to Google Maps and Google Photos — this isn’t just about your Android phone.


In addition to that, Google doesn’t ask for specific and unambiguous consent when you create an account — the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default […]


Finally, by default, Google ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy”  […]


Broad consent like this is also forbidden under the GDPR.