What CMPs can learn from the French data protection authorityNovember 22, 2018byJulie Tamba
On 30 October 2018, the French Data Protection Authority (the “CNIL”) issued a warning against a small company called Vectaury in relation to how this Ad Tech actor was collecting consent for geolocation-based advertising campaigns.
On 8 November 2018, it decided to make this decision public notably because it is necessary to “raise awareness among professionals of the sector on this issue in a context where personal data collection for profiling and targeted advertising purposes – especially in the locations visited by the concerned persons – is growing quickly”. The CNIL “notes that the use of a SDK happens within an ecosystem where various actors have a role, namely mobile apps editors and advertisers, who should be alerted about data protection objectives”.
On 9 November 2018, a summary of the decision was live on the website of the CNIL.
A series of Ad Tech warnings
As a preliminary note, it is interesting to point out that this decision is not the first one from the CNIL in relation to the Ad Tech industry.
Three other warnings were issued and made public since last June against Teemo, Fidzup and Singlespot: all of them were related to the collection of geolocation data for profiling and targeted advertising purposes, using a SDK implemented in applications of those companies’ partners; all of them confirmed the principle that these companies which edited the SDK and gathered advertising identifiers in a database were to be considered as data controllers in relation to this personal data; all of them intensively insisted on the fact that consent was not validly obtained from users of the applications to that end.
It is obvious that the CNIL is learning from each control, as demonstrated both by the length of the decisions and by the amount of technical and sectorial details they contain which almost doubled in just five months.
Also, certain bizarre elements mentioned in the June decisions – such as the fact that free consent would require a possibility to download the application without the SDK at stake – disappeared in the October decisions. This may not be just a coincidence: as far as Teemo is concerned, the end of the procedure was pronounced on 3 October 2018 then published on 4 October 2018, because banners were implemented which allowed prior consent collection following an information about (i) the purpose of geo-targeted advertising, (ii) the identity of the partners (easily accessible through a clickable link) and (iii) the nature of collected data (more information being available via another clickable link) ; no reference to a “SDK-free” app was made.
First reminders resulting from these decisions:
- Advertising identifiers and mac address are to be considered as personal data;
- Each actor of the sector is a controller in relation to the base of personal data it creates using a SDK implemented for purposes it determines (also interesting to see the criteria used by the IAB);
- Where the legal basis is consent, each actor must personally be able to prove its existence;
- Information must be given – and consent obtained – for geolocation for a specific purpose before the operations are implemented.
If you are a prospect and would like to implement a CMP, just contact our commercial team and we will be happy to help.
Using a CMP, but not under any modalities
Now why is the Vectaury decision different?
Teemo, Fidzup, and Singlespot were not collecting consent but simply imposing upon their partners an obligation to mention their existence in their terms and conditions (Fidzup) or to collect consent from the users of their applications (Teemo and Singlespot). They were warned because they were not able to prove the bare existence of a consent.
Vectaury, on the other hand, had developed a Consent Management Platform (CMP) with a view of collecting consents notably for its own purposes (just like other Ad Tech companies have), was registered as a CMP service provider with the International Advertising Bureau (“IAB”) under the Transparency and Consent Framework (“TCF”), and was proposing this solution to its partners. It was warned by the CNIL because the modalities of consent collection (largely determined by the IAB framework) were not considered as valid under the GDPR.
So, this decision is the first to officially take a position in relation to how consent should be obtained by a CMP. Within the next days it was being widely commented, including by those who were happy to detract the online advertising real time bidding system (“RTB”) and the framework proposed by the IAB to pass on consent collected on a website or application to the various actors of the RTB system.
Rather than criticizing – often with a hidden agenda – a system which has taken much time and tremendous efforts from many persons of good will to build, being constructive means taking note of the decision, informing concerned actors about its content and how they can implement it, and improving anything which can be improved.
Precisions as to what is a valid consent:
- “Informed” means that it must not be implied that a refusal to give consent will lead to negative consequences, that each purpose must be stated in a clear manner and that a list of data controllers must be available on the very first consent popup;
- “Specific” means that global refusal or acceptance options are possible as a user-friendliness, only after all purposes have been exposed with a specific consent request for each of them;
- “Positive” means that any pre-acceptance must be banned, and that simple use of the service cannot be considered as consent.
If you are a client and would like to modify the parameters you have chosen, just contact our support team and we will be happy to help.
About the RTB
In a second part, the Vectaury decision also clarified certain points in relation to data obtained by the company, not from applications publishers – its partners – via its SDK, but from Ad Exchanges and Supply Side Platforms within the framework of bid requests.
The CNIL noted that, after being analysed to automatically and instantaneously verify the opportunity of the bid, the data – advertising identifiers – are retained for the purposes of profiling, targeting, and analysis of conversion. Looking for a valid consent here again in relation to these purposes, the CNIL made two interesting remarks before concluding that no such valid consent exists.
Remark 1: the CNIL stated that “In order to ensure the specific and informed characteristics of the consent collected for the benefit of partners, the company issuing the bid request and collecting the personal data must inform the users about the recipients of this data” being specified that this information should be provided “directly upon collection of the data and possibly through a hyperlink directing to this list [of recipients]”.
Remark 2: a bit later in the text, the CNIL also mentioned that “the obligation under previously mentioned article 7 [to base processing upon a valid legal basis] cannot be fulfilled by the bare existence of a contractual provision guaranteeing a validly obtained initial consent” insofar as the company must “be in a position to prove the validity of the consent for any single data it owns today”.
To be very clear, those two remarks simply implement in the bid request context the previously mentioned rules about informed consent and proof of consent by each data controller, nothing more.
What is even more worth mentioning is the fact that, while it has been indicated by certain commentators that this decision proves the inherent invalidity of the framework built by the IAB, this seems to be just the opposite: the CNIL clarified in the first remark the conditions for consent to be validly collected on behalf of vendors, then reminded in the second remark that this delegation is not per se an evidence of consent and that each vendor remains under the obligation to demonstrate consent if requested to do so.
Conclusions for consent collection under the TCF:
- Purposes and use of geolocation for those purposes should be clarified;
- Vendors should be listed before consent collection;
- Consents should not just be passed on via the consent string but also kept available for the publisher implementing the CMP and – via this publisher – for the vendors on its website or application;
- Consents should be stored for the duration of its validity then archived for evidence purposes until the prescription has expired.
If you are curious about how you can achieve this, contact the IAB for a global impact or contact us for an individual step.
Open questions for the Ad Tech sector
Although this is not addressed by the CNIL, this decision revives unpleasant questions for Ad Tech companies, which relate to the fact that the more likely a user is to refuse data collection, the bigger revenue drop will be. This may sound just like a question of user friendly design, but most people know that this is potentially much more for all companies which live on data and targeted advertising. It cannot be separated from another point with similar consequences which is the question of the validity of scroll or navigation as positive actions.
These questions also have a much wider scope than the decisions of the CNIL, as it is being discussed at EU level within the framework of the ePrivacy reform and may possibly be addressed by the European Court of Justice when examining the Planet 49 case.
It would be quite imprudent to expect from the future a radical change in the current direction at national, EU and worldwide levels, namely the strengthening of data protection. Only in France, the Ad Tech sector has been (2016 program of controls of the CNIL), is (previously mentioned ongoing procedures) and will be (claim by La Quadrature du Net or claim by Privacy International) under fire. It is time more than ever to think about the future of targeted advertising.
One of these open questions is whether data may be used by concerned persons as a valid alternative to a credit card for payment of online contents?
A decision from the Paris court dated 7 August 2018 implied so when it mentioned the fact that “while Twitter proposes its services to users without a financial counterpart, it commercializes – against payment from partners, advertisers or traders – personal or non-personal data provided by the user for free when registering on and using the platform” then went on stating that “provision then exploitation and monetization of data collected for free by Twitter must be analysed as an “advantage” under article 1107 of the French civil code, which constitutes the counterpart to the service provided by Twitter to its users and makes the contract with Twitter a contract concluded for a pecuniary interest”.
Such a position would allow publishers to give users a choice between paying for content or getting access to content paid via targeted advertising, i.e. thanks to their personal data (we explored this option earlier this year). However, the CNIL seems to take an opposite approach when it states, in the Vectaury decision, that consent is not valid where the text of the banner implies that “refusal for collection and processing will lead to a paying economic model” or “an impossibility to use the application” or “intrusive advertising formats”.
Options for the future:
- Clarify which purposes require consent and which purposes may rely on legitimate interest;
- Explore with the authorities the nature of a “detriment” which would render consent valid or invalid.