Welcome back to our two-part series examining CNIL vs. Google: 10 lessons from the largest data protection fine ever issued. In this post we continue our analysis of CNIL vs. Google by taking a closer look at the additional lessons we can learn from this important decision.
6. …tell data subjects exactly what you’re doing with their data
CNIL found that it was hard for users to understand what Google was doing with their data. They commented: “Users are not able to fullly understand the extent of the processing operations… the purposes of processing are described in too generic and vague a manner and so are the categories of data processed for these various purposes.”
The lesson here is: tell data subjects clearly what data you are collecting and what you are using it for. Do not try to obfuscate it.