The French data privacy regulator (CNIL) served formal warnings on two advertising companies - FIDZUP and TEEMO - in relation to their collection and processing of personal data from mobile phones. The companies offer software development kit (SDK) tools for using the information collected in targeted marketing campaigns. The CNIL found that the consent upon which the companies relied on did not comply with the General Data Protection Regulation (GDPR) and that the companies were keeping geolocation data for longer than necessary. 

Using the SDK technology, TEEMO was able to collect user’s geolocation data every 5 minutes, even when the apps in which the SDK tools were integrated into were not in use. FIDZUP, on the other hand, collected MAC addresses (unique device IDs) of mobile phones. Both companies used the data collected to serve targeted and geolocated ads on users’ phones.  
Investigation by the French privacy regulator revealed that when users downloaded the mobile apps they were not informed that an SDK that collects their data is integrated into the apps, They were also not informed about the targeted advertising purposes of the processing or the data controller’s identity. Also, the information provided in the terms of use of the mobile apps was presented to users after the collection and processing of their data, whereas valid consents under the GDPR require providing that information beforehand.

The regulator also found that one of the two companies retains the geolocation data for a period of 13 months, a time period that was deemed disproportionate considering the purpose of the collection, constituting a violation of the GDPR. The French regulator's warnings stated that if the companies fail to correct the violations, they may face fines.

The press release (in French) is available here.