Consent-based processing of personal data is relatively commonplace in the interactive entertainment and video games sector. However, the process of obtaining consent is something everyone should take the time to get right, particularly if the processing activities are complex. In a recent, well-publicised decision, following a complaint relating to Google’s “Android” operating system, the French Data protection authority “CNIL” fined Google €50m for breaching its data privacy obligations under the General Data Protection Regulation (“GDPR”). In particular, CNIL found that Google’s online advertising practices had failed to meet the transparency obligations under the GDPR and did not have a valid consent for processing users’ personal data.
The complaint was brought by None Of Your Business, an organisation fronted by privacy campaigner Max Schrems; and La Quadrature du Net, a French advocacy group which campaigns for digital rights. Google had been relying on users’ consent to process personal data for advertising purposes. However, CNIL found that this consent had not been lawfully obtained, meaning that it considered that Google did not have a lawful basis for processing the personal data. In addition, CNIL found that it had failed to provide the necessary information to end users about how their personal data was being used, as required by Articles 13 and 14 of the GDPR.
Although the decision was issued by the French data protection authority, each supervisory authority is under a broad obligation to contribute to the consistent application of the GDPR throughout the EU, and to cooperate with each other, and is likely that supervisory authorities in other EU countries will take a similar approach in interpreting the application of the GDPR.
This is the largest fine ever issued by any data protection supervisory authority in the EU. Google is appealing this decision.
Obtaining lawful consent can be challenging, particularly where processing activities are complex
Google’s processing of personal data was taking place in a complex ecosystem involving multiple third parties. The data was being shared across a network of organisations, which were processing personal data in variety of sophisticated ways. The GDPR requires personal data to be processed lawfully, fairly and in a transparent manner. Consent needs to be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. In addition, under Article 13 and 14, users need to be provided with certain information about the processing of their personal data, such as the identity and contact details of the controller, the purposes of the processing, the recipients or categories of recipients of person data, and the period for which personal data will be stored.
In its decision, CNIL highlighted certain practices, which it considered contributed to the consent on which Google was relying being unlawful. In particular, CNIL found that:
• Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, were excessively disseminated across several documents, with buttons and links required to be clicked to access complementary information;
• The information provided to users was not always clear nor comprehensive;
• The information provided to users was not adequate so as to enable users to fully understand the extent of the processing operations carried out by Google. The purposes of processing and the categories of personal data were also described in a way which was too generic and vague;
• The information communicated was not clear enough so that the user could understand that the legal basis of processing operations for the ads personalization was the consent, and not the legitimate interest of the company; and
• In relation to some categories of data, the information provided to end users about how long the data was kept was not provided.
In addition, CNIL found that the processing operations were particularly massive and intrusive because of the number of services offered by Google (about twenty), as well as the volume and nature of the data.
Broader implications for consent-based processing
The decision could ultimately make it harder for publishers and studios’ ability to advertise their games directly to a targeted audience online. It may also affect any organisations which rely on targeted advertising as a revenue stream (for example video game streaming platforms which enable users to stream live footage of eSports, multiplayer games and play-throughs), as well as smaller businesses who rely on ad-generated revenue, particularly those operating in the casual gaming space.
More broadly, the decision is also important for anyone who relies on consent as their lawful basis for processing personal data, including many video games and free-to-play casual games. If you are relying on consent as your lawful basis for processing personal data, you should think carefully about how the consent is obtained. In particular, think about whether the means by which you collect consent is clear and transparent enough for users, and whether all the required information is being provided in a GDPR-compliant way. If the consent you are relying on is not GDPR-compliant, you will need to take steps to address this.