The French data protection authority (Commission Nationale de l'informatique et des Libertés – CNIL) recently published a warning it issued to the French AdTech company Vectaury, that collects and processes geolocation data for targeted advertising purposes through an SDK that is integrated into third party mobile applications.
The CNIL’s warning to Vectaury reveals detailed information about the EU privacy regulators’ position on data protection issues that lie at the heart of the AdTech industry.
Although the CNIL’s supervisory action against Vectaury began prior to the GDPR taking effect and is mainly guided by the data protection legislation that preceded the GDPR, the CNIL’s findings and implications are just as enforceable and effective nowadays under the GDPR, if not more so. It is also probable that the CNIL chose not to impose a penalty on Vectaury at this time, give it a three-months grace period for corrective action and make the warning publicly known – all so as to educate the AdTech industry on proper EU data protection compliance.
Transparent, Accurate and Timely User Privacy Notices
User notice about data processing must be timely, accurate and exhibit transparency in order for user consent to qualify as informed consent required by EU data protection rules.
Vectaury’s mobile SKD that collects and processes users’ geolocation data, is integrated into a host application. The CNIL found deficiency in that when users install the host application, no notice is given about the collection of geolocation data via the SDK for the purpose of profiling users and targeted advertising.
Moreover, the CNIL’s findings indicate that AdTech companies may not rely on the device’s native geolocation confirmation notice and consent. The device’s notice does not allow users to consent to the processing of their personal data for the purpose of displaying targeted advertising, or for user profiling.
According to the CNIL, in order for a notice to qualify as the required informed consent, it must directly inform users of the identity of the companies responsible for processing their data. Vectaury’s user interface design on this issue was found to be lacking, because in order for users to be informed of these companies, they would have to explore a preferences menu and then scroll down to reach a link called “See All Partners”. Only a click on this link would send users to a page listing all partner companies responsible for processing the data.
The CNIL also found that Vectaury’s informational text to users describing its data processing practices was imprecise, unclear, complicated and misleading to some extent.
First, the text stated that the processing “… allows us to offer you free access to our service and we are committed to displaying non-intrusive ads”. The CNIL found that the text wrongfully suggests that a user’s refusal to have their data processed results in either a paid business model or an inability to use the app. In the CNIL’s view, it also suggests that refusal to collect data will make advertisements appear in a more intrusive manner.
The SDK then explains the issues of user profiling as “the collection and processing of information relating to your use of this service in order to subsequently send you advertisements and / or personalized content in other contexts … the content of the site or application is used to make inferences about your interests, which will be useful in future advertising and / or content selections”.
The CNIL found this to inaccurately cover a large number of situations. It also found that the complex wording used is ill-suited for a general audience.
Specific, Granular and Affirmative Opt-In (not Opt-Out) Consent
The data processing notice presented to users also explains that: “You can click Accept to continue to benefit globally from the services ... or click Customize to manage your preferences on the use of the application.”
If users click “Customize”, a new window pops informing them that the application “uses targeting features offered by our partners, which support targeted advertising tailored to where you are and your profile. Your data collected for these purposes is transmitted to our partners.” Only there can users can click on a Personalization tab to disable the default permission to collect data for targeted advertising purposes.
With these notices, all granular data processing purposes are pre-accepted by default, particularly when users click the global “Accept”. User action is then required to object to this processing, by unchecking, one after the other, the pre-ticked boxes corresponding to the different data processing purposes. Through an additional click, users can access the list of all data controllers processing the data, including Vectaury, and can object to the processing by those controllers.
The CNIL found this opt-out practice to be in violation of the requirement to obtain affirmative opt-in and granular user consent for each data processing purpose. Vectaury subsequently presented to CNIL a newly developed consent tool, designed to standardize the way consent is collected via the SDKs. The tool is based on the Consent Management Provider (CMP) framework of the Interactive Advertising Bureau (IAB). Yet the CNIL also found this to be similarly deficient because the specific data processing purposes are also pre-accepted by default.
Obstacles in Relying on Consent Obtained by Others in the AdTech Chain
Vectaury also runs marketing campaigns for its advertiser-customers, through the purchase of ad space on auction platforms. The auction system allows mobile apps to find an advertiser to which to sell the app’s ad-space. The mobile apps send their geolocation data and the mobile advertising identifier onward through several intermediaries – including Supply Side Platforms (SSPs) – before it arrives at companies like Vectaury. Vectaury then uses this data to estimate the value of the ad space for its advertiser-customers and place a bid.
Vectaury, like many other AdTech companies, has concluded agreements with SSPs which stipulate that the SSPs are obligated to secure user consent for Vectaury’s receipt and processing of the data. They are also obligated to provide Vectaury proof of such consent for each user and purpose.
The CNIL determined that in order to guarantee the specific and informed nature of the consent collected for the benefit of the intermediaries and companies like Vectaury, the company from which the bid originates, and which collects the data, must inform users about the recipients of the data and obtain their consent. The CNIL found that this was not followed.
The CNIL also determined that the obligation to secure valid informed consent cannot be absolved of by the mere presence of a contractual clause guaranteeing an initial consent validly collected by the SSPs. Rather, Vectaury must be able to independently demonstrate the validity of the consent applicable its processing activities. The CNIL found that Vectaury has failed to do so.
The CNIL’s warning to Vectaury is likely to have radical compliance implications on any AdTech company that collects and processes personal data of EU users for online advertising purposes, and is similarly instructive for companies beyond the AdTech industry. It warrants review of the notice and consent practices of online services companies processing personal data of EU users.