Google fined $57 million under new European data privacy law

The fine is the biggest imposed under the General Data Protection Regulation.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Google has been fined $57 million by a French regulator for not presenting transparent information about its data-gathering practices.

Claudia Cruz/CNET

Google has been fined 50 million euros (about $57 million) by a French regulator for not properly disclosing to users how their data is collected and used for targeted advertising.

The penalty is the biggest yet imposed under a new European privacy law that went into effect in 2018. The European Union's General Data Protection Regulation gives Europeans more control over their information and how companies use it.

France's National Data Protection Commission said on Monday that it imposed the fine after determining Google hadn't met its obligation for transparency by making information about its data collection easily accessible to users. The commission found that Google didn't present information about data-processing purposes and data-storage periods in the same place, sometimes requiring users to make five or six clicks to obtain the information.

The best PCs for privacy-minded people

See all photos

The commission also found that Google hadn't presented the information in a clear and comprehensive manner, saying the company's descriptions are "too generic and vague." Google also didn't obtain valid user consent for personalized ads because of insufficient information, the commission said.

"People expect high standards of transparency and control from us," a Google spokesman said. "We're deeply committed to meeting those expectations and the consent requirements of the GDPR.  We're studying the decision to determine our next steps."

The GDPR, which went into effect in May, introduced tougher rules on processing and storing personal data and requires companies to seek explicit consent before using personal data. Companies must be able to provide their users with a copy of their personal data and are required to report data breaches within 72 hours.

Watch this: GDPR: Here's what you need to know

Originally published at 9:16 a.m. PT
Updated at 9:15 p.m. with Google statement.