Google has three months to clean up its privacy act in France or else.
Specifically, Google has been ordered to implement the following changes, as outlined by the CNIL:
- Define specified and explicit purposes to allow users to understand practically the processing of their personal data.
- Inform users by application of the provisions of Article 32 of the
French Data Protection Act, in particular with regard to the purposes
pursued by the controller of the processing implemented.
- Define retention periods for the personal data processed that do not
exceed the period necessary for the purposes for which they are
- Not proceed, without legal basis, with the potentially unlimited combination of users’ data.
- Fairly collect and process passive users’ data, in particular with
regard to data collected using the “Doubleclick” and “Analytics”
cookies, “+1” buttons or any other Google service available on the
- Inform users and then obtain their consent in particular before storing cookies in their terminal.
From February to October of 2012, the CNIL led an investigation into
Google’s privacy policies to determine if they were in compliance with
European law. Based on its findings, the group asked Google in October
to revise its policies within four months. But Google has yet to made
any “significant compliance measures,” the CNIL charged.
If Google doesn’t comply, it faces more than just the wrath of French regulators.
“By the end of July, all the authorities within the (EU data
protection) task force will have taken coercive action against Google,”
CNIL President Isabelle Falque-Pierrotin said, according to Reuters.
As a result, the company potentially faces fines of several million euros across Europe.
In response to the CNIL’s order, Google sent CNET this statement:
simpler, more effective services. We have engaged fully with the
authorities involved throughout this process, and we’ll continue to do
so going forward.”
Updated 7:15 a.m. PT
with response from Google.