CNIL, the French privacy regulator, has levied a record fine of £44m against Google.

The fine has been issued with the criticism pointed towards the "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". There are some key lessons to be learned here for other companies that process large volumes of data. 

It is of note to larger companies that process and manage data in a large scale format that this fine has been brought about by privacy rights groups: None of Your Business (Noyb) and La Quadrature du Net (LDQN). Amongst the existing data risks to business this is clear evidence of the risk posed by such privacy rights groups. It is therefore even more important that companies act responsibly and take adequate measures in accordance with the legislation. 

The decision throws further light on the expectation of clarity and ease of access surrounding the use of data. A common area of criticism often placed against companies is that finding out what personal information is held and for what purpose is extremely tricky. 

A further point is made in the decision about the need for 'valid consent'. As privacy lawyers we frequently see the common misconceptions around consent. A "pre-ticked" consent box is not valid consent under the GDPR. 

For advice in relation to your compliance with the GDPR and associated privacy legislation, contact our team of privacy specialists.