France’s privacy watchdog today fined Google LLC 50 million euros, or about $57 million, for breaching the General Data Protection Regulation that the European Union passed last year.

At issue is the activation workflow for new Android devices. CNIL, as the watchdog is known, found that Google failed to meet a number of GDPR rules around obtaining consumers’ permission to collect their data and disclosing how the data will be used.

The first violation the regulator cited is that the search giant makes it overly difficult to find privacy-related information during device setup. According to CNIL, key details such as how long Google holds onto data are spread out over an unreasonably large number of pages, which requires users to perform as many as five or six actions to access them. In addition, the checkbox for opting out of personalized ads is hidden behind a “More options” button.

The CNIL also found fault with some of the wording in the setup wizard. The section about personalized ads, for example, fails to specify that users’ choices will apply not only to their Android but also across other Google services such as Gmail and Maps.

Then there’s the way the company asks for consent to collect data. A consumer needs to check two boxes that read “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy,” wording the CNIL said isn’t specific enough.

“The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.),” the CNIL wrote. “However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”

Today’s decision comes less than a year after the CNIL started examining how Google collects data on Android. It launched the investigation in response to complaints from two nonprofit privacy groups, None Of Your Business and La Quadrature du Net, that were filed last May within days of GDPR being enacted into law.

Google said in a statement today that “people expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

The $57 million penalty against Google is the latest reminder of the close scrutiny U.S. tech giants face in Europe. Last June, the EU slapped the search giant with a record $5 billion fine for abusing Android’s market dominance. Amazon.com Inc. is facing an antitrust probe over how it uses merchant data, while Apple Inc. and Facebook Inc. have also had highly publicized run-ins with the the region’s regulators.

Image: TheDigitalArtist/Pixabay