It’s Data Protection Day, the happiest day of the year!  A year ago, we were talking about the changes that GDPR would bring, and how to gear up operations to ensure that you didn’t violate the law or mislead your customers.  The premise was simple: transparency is a fundamental precept under GDPR (and US law), and so to avoid liability, it’s crucial to honestly and simply explain to customers what you do with their information and why.  And everyone listened, and we all lived happily ever after.

Not so much.

CNIL, the French Data Protection Authority, has fined Google €50m for failing to obtain meaningful consent to tracking and for having a convoluted set of privacy disclosures across its websites.  In one act, the GDPR has already produced more fines than any other privacy regulation in history, taking aim at a company, in the public consciousness, that is synonymous with massive data collection.  Those commentators who predicted that European regulators would need to demonstrate their seriousness about issuing fines under GDPR appear to have been proven correct.

“Fifty million Euros? Mon Dieu!” you might say, and you’d be right that it is certainly an eye-catching number, and it is definitely higher than the €20 million number listed as a potential fine under GDPR.  But remember, please, that Google had $33.6 billion dollars in revenues last year.  In the third quarter.  Which means that this fine represents the total revenue Google made between 9am-5pm on October 22 (if you don’t include lunch hour.)

Still, fifty million here or there starts to add up, and the amount of the fine isn’t really the most important part of this news.  The reasoning behind the fine is much more important, especially for other businesses, because CNIL is broadcasting to the world that “if Google isn’t allowed to do this, neither are you.”

And, unfortunately, plenty of businesses are doing exactly what Google did to earn this fine.

For instance, the first portion of CNIL’s ruling outlines Google’s failure to provide sufficiently user-friendly explanations of what kind of data processing they do, how they do it, and why:

Essential information, such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalize the advertisement, are excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information. Relevant information is accessible only after several steps, sometimes involving up to five or six actions. This is for example the case if a user wants to have complete information on the collection of its information for the personalization of advertisements, or for its geolocation.

Parsing the language, you see that CNIL is penalizing Google because of a lack of transparency: users can’t easily find out what data Google collects, why it uses it, or how to exercise control over Google’s activity. And while Google scattered its privacy practices across multiple websites, users had only a single opportunity to consent to all of its data collection practices in one location — in effect, forcing users to agree to data collection and usage that they didn’t understand because they hadn’t taken the confusing clickthrough journey through all six locations containing Google’s privacy policies.

Effectively, CNIL hit Google with the largest-ever privacy fine because Google doesn’t tell data subjects how it uses their data or give them control.  That’s a far cry from the “Oh, the EU just likes to pick on Google” storyline we have heard from some commentators because it’s exactly the kind of thing small and medium-sized companies do.  And while data privacy isn’t just about privacy policies, you can’t simply skip over crafting a good policy and expect there to be no consequences.

Google has already announced its intention to appeal the fine, and they will likely spend some hefty fraction of €50m on their legal fees.  That expenditure represents an aspect to compliance that rarely arises during conversations — the high cost of defending or appealing an adverse decision by a regulator, and the negative effect in public perception.  Google stock fell three percent after CNIL announced the fine, and even a medium-sized fine at a smaller company could be catastrophic.

The most important takeaway from CNIL’s action is that no company is immune from the basic GDPR requirement that consumers have the right to know how their personal data is used.  A straightforward privacy policy goes a long way towards demonstrating your company’s commitment to respecting that right, or at least towards your desire not to receive the next major fine issued by an active and increasingly aggressive CNIL.