Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gma ema service in the guise of emas.
Privacy advocacy group, noyb, has fed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the European Union’s ePrivacy Directive rules on direct marketing by faing to gain consent from Gma users for the ads it displays inside their inboxes, alongside promotional emas they have actually signed up for.
noyb’s complaint cites a ruling by the EU’s top court last year, in a separate case related to the use of ema for direct marketing, which it argues makes it plain that ads which are displayed inside a user’s inbox constitutes “a use of electronic ma for the purposes of direct marketing” — which, under ePrivacy rules, requires user consent. (The Gma advertising emas only distinguish themselves from genuine emas users have signed up for by the inclusion of an ‘ad’ label and the lack of a date-stamp.)
The complaint asserts that Gma users did not consent to being spammed with Google’s ads — noting that, under ePrivacy, consent would have needed to be obtained prior to the ads being displayed in their inboxes.
noyb also argues that exceptions set out in relevant EU law do not apply here because Google’s ad emas are not used for the direct marketing of simar products for which consent was previously obtained.
“It is quite simple. Spam is a commercial ema sent without consent. And it is legal. Spam does not become legal just because it is generated by the ema provider,” added Romain Robert, lawyer at noyb, in a statement.
Google was contacted for comment on the complaint.
Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've but — without the big spend. Avaable through May 9 or whe tables last.
France’s CNIL has been an active regulator of Google on privacy issues, making use of the competency it can exert under ePrivacy — which, unlike the General Data Protection Regulation, does not require cross-border complaints to be funnelled through a lead DPA (in Google’s case, Ireland’s Data Protection Commission) — avoiding the GDPR bottleneck that has slowed down privacy enforcement against Big Tech.
Back in December 2020, the CNIL fined Google $120 mlion for dropping tracking cookies without consent — after finding it had breached ePrivacy rules. It followed that up with another beefy fine — $170 mlion — this January for dark patterns it found Google deploying in cookie consent flows.
Those French ePrivacy enforcements soon led to Google announcing an updated cookie consent banner in Europe which finally offered users a top-level option to refuse all its tracking — suggesting muscular enforcement of laws defending web users rights and freedoms can face down the power of Big Tech.
The CNIL also managed to slap Google with an early GDPR enforcement, back in 2019, prior to a legal switch which brought the company’s EU users under the jurisdiction of its Irish subsidiary (instead of its U.S. parent) — thereby ensuring that subsequent GDPR complaints against Google have been routed through Ireland.
Hence the majority of GDPR enforcement on major complaints against Google — such as over the legality of its adtech (a formal investigation was opened in May 2019); or its location tracking practices (under probe in Ireland since February 2020) — remain in limbo as the Irish regulator’s painstaking procedures grind on. But decisions must flow eventually — within months or years.
It wl be interesting to see which arrives first: A decision from France’s CNIL on this fresh noyb complaint against Google’s Gma ad spam (fed August 2022) — or a final decision from Ireland on Google’s adtech or location tracking.
In the meanwhe, noyb has been pressing another series of strategic complaints against Big Tech by targeting B2B users of Google Analytics and Facebook Connect across the EU — which has led to a number of breach findings and warnings from DPAs against use of Google’s analytics software, with France’s watchdog putting out guidance in June that warns users of the tool of the need to apply additional safeguards to ensure their implementation complies with GDPR requirements on data transfers outside the bloc or else switch to a compliant (non-Google) alternative.
Facebook also has a major decision hanging over it related to a long-standing complaint about its EU data exports which was originally fed by noyb’s chairman — long before he founded the privacy advocacy group.
Google to update cookie consent banner in Europe following fine