According to the CNIL's findings, Google has scattered information related to data processing operations across several documents, some of which are not easily accessible. Furthermore, Google has designed its interfaces in such a way that the information is fragmented and requires users to click on buttons and links to access relevant information. The CNIL has noted that the amount of information that users must read before they can identify the data processing operations is too large. This makes it difficult for users to understand what data processing operations are being carried out and what the scope and consequences of those operations are.
The information provided by Google to users is not easily accessible or comprehensible, which violates Article 12 of the GDPR. The CNIL has also noted that while providing exhaustive information from the first level might not be practical, the information provided should still be clear and comprehensible. In particular, the CNIL has found that the purposes of the processing operations are described in a way that is far too generic given the scope and consequences of the processing operations carried out. Additionally, the description of the purposes does not allow users to measure the extent of the processing and the degree of intrusion into their private sphere. The description of the data collected is also found to be imprecise and incomplete, which violates Article 13 of the GDPR.
Google's formulations do not distinguish between personalized advertising and other forms of targeting, and the personalization settings of the account are pre-ticked by default, which translates to the user's agreement to the processing of their data. This violates Article 4(11), Article 6(1)(a), Article 7, Article 12, and Article 13 of the GDPR, which require that information provided to users must be clear and comprehensible, and that users must give their explicit and informed consent to the processing of their data.