After being a major thorn in the side of Facebook for nearly a decade, the European privacy group noyb continues to turn at least some of its attention to Google. A new ePrivacy complaint from the group alleges that advertising emails are sent to Gmail users without their consent, a violation of that directive.
Sponsored advertising emails placed in inboxes of Gmail users may run afoul of ePrivacy directive terms
Gmail users are no doubt familiar with the “Spam” folder, to which unsolicited advertising emails are (ideally) shunted. But there is a special class of advertising emails that are greenlit by Google themselves, part of its monetization system for Gmail. These will be delivered to the inboxes of Gmail users no matter what, usually based on prior interests or companies the user has already interacted with. The advertising emails are sometimes worded and placed such that they give the user the impression that they are subscribed to marketing emails from these companies when they are not.
The noyb complaint contends that these meet the definition of “direct marketing” emails, at least as viewed by the ePrivacy directive. The ePrivacy complaint cites a European Court of Justice decision determining that any marketing in an email format meets its definition of advertising emails; under ePrivacy terms, a company must first collect user consent to send these.
noyb’s position is that if Gmail users do not grant their consent to each of these specific companies, the advertising emails are spam and should not be legal. The ePrivacy complaint asserts that these emails are not legitimized simply by being generated or facilitated by Google. The advertising emails are labeled as such and sit at the top of mailboxes, but are otherwise a standard email and could lead Gmail users to believe that a company they had unsubscribed from or only made a one-off purchase from has them on a mailing list.
Romain Robert, program director at noyb.eu, described the Gmail scheme as if the “postman was paid to remove the ads from your mailbox and put his own instead.” A similar advertising system was recently introduced to the mobile version of Microsoft Outlook as well, and could be impacted if CNIL rules in favor of noyb’s ePrivacy complaint.
ePrivacy complaint comes after string of CNIL decisions against Google
France’s lead data privacy protection agency has shown the greatest level of interest thus far in regulating big tech firms. This is one of the reasons that noyb brought its ePrivacy complaint to the country; the other is that ePrivacy actions do not require the same elaborate international collaborative process that General Data Protection Regulation (GDPR) complaints do. Any GDPR complaint involving a firm like Google or Facebook usually puts Ireland’s Data Protection Commission at the head of the investigation, and that body has taken a lot of flak for slow investigations and underwhelming proposed penalties.
CNIL has already taken several major actions against Google, and these have generally stemmed from ePrivacy complaints rather than the GDPR process. It has already fined the company between €50 million and €150 million per incident for use of tracking cookies without obtaining proper user consent, unclear privacy notices and the use of “dark patterns” in steering users through their opt-in and opt-out options. Google has been fined billions by the European Commission over antitrust issues, but has largely evaded trouble stemming from privacy and GDPR issues outside of France.
noyb also made use of CNIL for a prior victory against Google earlier this year, when it was able to demonstrate that Google Analytics was in breach of the international data transfer rules that it had previously established with another successful complaint against Facebook. CNIL found that websites in the country cannot make use of Google Analytics as it passes potentially individually identifiable information back to the search giant, and that they can be held individually liable for doing so. Austria, Holland and Italy have since followed with similar rulings.
Google’s Gmail advertising emails have been controversial for nearly a decade now. When the new policy rolled out in 2013, the company was taken to task for stating in a class-action lawsuit that Gmail users should not have any expectation of privacy. At the time, Google was being sued for alleged violation of wiretap laws in scanning the contents of user emails for targeted advertising. Google’s position in that suit was that information voluntarily turned over to a third party should not be covered, citing a 1979 decision involving telephone calls. The company announced in 2017 that it would stop scanning the contents of emails for targeted advertising purposes.