The French data protection authority (Commission Nationale de l’informatique et des Libertés – CNIL) recently published a warning it issued to the French AdTech company Vectaury, that collects and processes geolocation data for targeted advertising purposes through an SDK that is integrated into third party mobile applications.
The CNIL’s warning to Vectaury reveals detailed information about the EU privacy regulators’ position on data protection issues that lie at the heart of the AdTech industry.
Although the CNIL’s supervisory action against Vectaury began prior to the GDPR taking effect and is mainly guided by the data protection legislation that preceded the GDPR, the CNIL’s findings and implications are just as enforceable and effective nowadays under the GDPR, if not more so.
Transparent, Accurate and Timely User Privacy Notices
User notice about data processing must be timely, accurate and exhibit transparency in order for user consent to qualify as informed consent required by EU data protection rules.
According to the CNIL, in order for a notice to qualify as the required informed consent, it must directly inform users of the identity of the companies responsible for processing their data. Vectaury’s user interface design on this issue was found to be lacking, because in order for users to be informed of these companies, they would have to explore a preferences menu and then scroll down to reach a link called “See All Partners”. Only a click on this link would send users to a page listing all partner companies responsible for processing the data.
The CNIL also found that Vectaury’s informational text to users describing its data processing practices was imprecise, unclear, complicated and misleading to some extent.
For example, the text stated that the processing “… allows us to offer you free access to our service and we are committed to displaying non-intrusive ads”. The CNIL found that the text wrongfully suggests that a user’s refusal to have their data processed results in either a paid business model or an inability to use the app. In the CNIL’s view, it also suggests that refusal to collect data will make advertisements appear in a more intrusive manner.
Specific, Granular and Affirmative Opt-In (not Opt-Out) Consent
The data processing notice presented to users also explains that: “You can click Accept to continue to benefit globally from the services … or click Customize to manage your preferences on the use of the application.”
If users click “Customize”, a new window pops informing them that the application “uses targeting features offered by our partners, which support targeted advertising tailored to where you are and your profile. Your data collected for these purposes is transmitted to our partners.” Only there can users click on a Personalization tab to disable the default permission to collect data for targeted advertising purposes.
With these notices, all granular data processing purposes are pre-accepted by default, particularly when users click the global “Accept”. User action is then required to object to this processing, by unchecking, one after the other, the pre-ticked boxes corresponding to the different data processing purposes. Through an additional click, users can access the list of all data controllers processing the data, including Vectaury, and can object to the processing by those controllers.
The CNIL found this opt-out practice to be in violation of the requirement to obtain affirmative opt-in and granular user consent for each data processing purpose.
Obstacles in Relying on Consent Obtained by Others in the AdTech Chain
Vectaury also runs marketing campaigns for its advertiser-customers, through the purchase of ad space on auction platforms. The auction system allows mobile apps to find an advertiser to which to sell the app’s ad-space. The mobile apps send their geolocation data and the mobile advertising identifier onward through several intermediaries – including Supply Side Platforms (SSPs) – before it arrives at companies like Vectaury.
The CNIL determined that in order to guarantee the specific and informed nature of the consent collected for the benefit of the intermediaries and companies like Vectaury, the company from which the bid originates, and which collects the data, must inform users about the recipients of the data and obtain their consent. The CNIL found that this was not followed.
The CNIL also determined that the obligation to secure valid informed consent cannot be absolved of by the mere presence of a contractual clause guaranteeing an initial consent validly collected by the SSPs. Rather, Vectaury must be able to independently demonstrate the validity of the consent applicable its processing activities. The CNIL found that Vectaury has failed to do so.
The CNIL’s warning to Vectaury is likely to have radical compliance implications on any AdTech company that collects and processes personal data of EU users for online advertising purposes, and is similarly instructive for companies beyond the AdTech industry. It warrants review of the notice and consent practices of online services companies processing personal data of EU users.
Feel free to contact us with any questions you may have with respect to the topics discussed in this client alert: