The French data privacy regulator (CNIL) served formal warnings on two advertising companies - FIDZUP and TEEMO - in relation to their collection and processing of personal data from mobile phones. The companies offer software development kit (SDK) tools for using the information collected in targeted marketing campaigns. The CNIL found that the consent upon which the companies relied on did not comply with the General Data Protection Regulation (GDPR) and that the companies were keeping geolocation data for longer than necessary.
Using the SDK technology, TEEMO was able to collect user’s geolocation data every 5 minutes, even when the apps in which the SDK tools were integrated into were not in use. FIDZUP, on the other hand, collected MAC addresses (unique device IDs) of mobile phones. Both companies used the data collected to serve targeted and geolocated ads on users’ phones.
The regulator also found that one of the two companies retains the geolocation data for a period of 13 months, a time period that was deemed disproportionate considering the purpose of the collection, constituting a violation of the GDPR. The French regulator's warnings stated that if the companies fail to correct the violations, they may face fines.
The press release (in French) is available here.