In its announcement, the Dutch DPA detailed requirements for Google to meet by February 2015 in order come into compliance with the Dutch data protection act and avoid the fine:
The Dutch DPA demands that Google:
- Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
- Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.
The Dutch DPA also noted that “Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.”
Recall that Google has paid small fines (compared with Google’s earnings) for privacy scandals before. In April 2012, the Federal Communications Commission decided (redacted pdf) that it would not take enforcement action against the company over data collection and retention as part of its online mapping service, Street View, but it would fine Google $25,000 for impeding the agency’s investigation into the private data collected and retained via its Street View product. In March 2013, Google reached a settlement (archive pdf) with 38 states and the District of Columbia over the collection and retention of individuals’ personal data through its Street View product, but the company would only have to pay $7 million total and implement a privacy program.