France's privacy regulatory organization served up a fine and a dose of embarrassment to Google on Wednesday.
As expected, the national committee on information and liberty (CNIL) served up a 150,000 euros fine (approximately $200,000). The amount won't mean much to Google financially. But in addition to the fine, the group demanded that Google post a warning on its French home page, Google.fr.
CNIL justified its demand that Google post the warning because of "the extent of Google's data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights."
CNIL's Sanctions Committee said that while it did not have a problem with Google's intent to streamline its privacy policies into one, it found that the new policy had violated several provisions of the French Data Protection Act.
Google was found at fault for not sufficiently protecting its customers' personal data in four instances:
The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion. The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals. It fails to define retention periods applicable to the data which it processes. Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
CNIL's announcement also noted that data protection regulatory groups in Spain and the Netherlands came to similar conclusions in November and December of last year.
Update, 1:50 p.m. PT: adds Google statement.