Lessons from the First Major Enforcement of GDPR

0
143
Image Source: https://www.flickr.com/photos/descrier/35440117101

On January 21, 2019, the French Data Protection Authority (the “French DPA”) fined Google LLC 50 million euros for violating the requirements of the GDPR “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” This is the first major enforcement by a European DPA since the GDPR came into force in May 2018.

How can your company avoid being the next target of an EU DPA? Below are useful checklists of accepted and unaccepted practices for privacy policies and methods for securing consent, consistent with the French DPA’s decision.

The French DPA relied quite heavily upon the guidelines issued by the European Data Protection Board (the successor of the WP29) about transparency and consent. This decision is therefore of interest to all companies that collect personal data in relation to products or services offered to individuals in the EU, even though they may not offer them in France.

Privacy Policy Checklist

Under the GDPR, data controllers must disclose to individuals whose personal data is processed certain information in a concise, transparent, intelligible and easily accessible way, using clear and plain language. U.S. companies often do this in consumer-facing privacy policies. Here is a list of dos and don’ts for your privacy policy:

  • Don’t make them search for the information: utilize short click paths to the information; try to reduce the number of “more information” / “more options” links that must be clicked before the individual can actually access the required information.
  • Use appropriate headlines: the headlines in your privacy policies should clearly highlight the information contained in each section, especially when the complete information is not available in a single document.
  • Don’t use generic and vague terms when describing the purposes of the processing, e.g. “the information we collect is used to improve our services for all users” was considered too vague by the French DPA considering Google processing activities.
  • Disclose the information you have to provide before the processing starts, e.g. a complete privacy notice should be disclosed before the individual subscribes to the service.

Consent Checklist

The GDPR provides that any data processing must be done on the basis of one of the legal bases listed in the GDPR, which includes consent. Consent must be freely given, specific, informed and unambiguous. Here is a list of dos and don’ts to review your method to secure consent:

  • Don’t use pre-ticked boxes: individuals should make the choice themselves.
  • Secure active consent for each purpose, e.g. use one specific tick box for each purpose of processing.
  • Don’t use “bundled” consent, i.e. wording such as “I agree to the processing of my information as described above and further explained in the Privacy Policy” when the privacy policy describes several distinct processing activities.
  • Make the scope of consent clear: individuals must be able to distinguish between the processing of their personal data for a certain purpose on the basis of their consent, and the processing of their personal data based on a different legal basis such as the company’s legitimate interests.

For more information on this decision, you can check our post on Foley Hoag’s Privacy and Security blog.

This piece originally appeared in the Foley Hoag newsletter.