Enfin, the long wait is over. The first GDPR enforcement actions in relation to digital advertising are starting to emerge, ending the increasingly tense lull since 25 May 2018 when the Regulation went into effect. On 30 October, France’s national data protection authority (DPA), the Commission Nationale de l’Informatique et Libertés (CNIL), adopted a Decision addressed to the French start-up, Vectaury, putting the company on notice that if current practices that breach the GDPR are not ended within three months, sanctions will follow.
The CNIL is arguably one of the most influential of the EU’s DPAs, and has a reputation for firm action, especially in relation to online tracking. The Decision concerns what is arguably the most important single issue for the sector: legal bases for processing.
Vectaury matches geolocation data collected via mobile apps to other personal data contained in real-time bid requests to profile users, target ads on behalf of its advertiser clients, and measure campaign performance. Users venturing near Points of Interest (POIs) are offered ads that flag the proximity of a commercial offer likely to be of interest to them. The 20 or so apps that integrate the Vectaury SDK for the purpose of collecting the geolocation data are widely downloaded in France.
In its Decision, the CNIL found that Vectaury was failing to ensure that users whose geolocation data were being used to profile and target them were aware of this, or received the information in a way that met GDPR requirements.
The purported legal basis of the collection and processing was “consent”, which requires prior information about which companies are asking to process your data. If you do not know before your consent is requested who wants it or why they need it, then you cannot grant “informed” consent. Users of the apps that Vectaury was using to collect geolocation data appear initially to have received no information at all, nor were they requested to provide their consent.
In the course of the summer and early autumn, Vectaury seems to have tried to address the issue by recommending that its partners implement a “consent management platform” (CMP) based on the TCF (slightly confusingly, the Decision covers a period before Vectaury tried to implement a TCF CMP and a period after they did). The CMP implementation, which did not align to TCF policies, was still considered by the CNIL to be non-GDPR compliant because users had to click several times to navigate their way through the layered CMP to review the companies that wanted to process their data and the purposes for which those companies wanted consent. Moreover, once they arrived there, default settings were fixed to “accept”, a breach of the GDPR requirement that consent be granted by an “affirmative action”.
The CNIL also found that the explanations for data processing purposes provided to users were hard to understand and failed to meet the standard of being sufficiently clear and specific, to enable users to make an informed choice. This criticism applied to TCF data processing purpose definitions.
Finally, the CNIL objected to the fact that although Vectaury had attempted to comply with the law by providing its partner app developers a recommended CMP, its inability to independently verify that user consent had been obtained in a GDPR-complaint way, by the apps to whose bid requests it was responding, meant that it failed to meet its obligations under the law.
In reaching its decision, the CNIL has indirectly confirmed that implementation of a CMP that fully complied with the TCF Policies would have significantly improved the situation for Vectaury with respect to the timing of information to users. For example, current Policies require companies to provide the purposes of the processing and a link to the list of named companies in the first layer.
The Decision also seems to reaffirm that the CNIL considers that consent can be one of the appropriate legal bases for data processing for digital advertising, something that is occasionally challenged by privacy activists who believe that valid consent can never be obtained for modern online advertising.
Finally, the Decision did not entail the imposition of a fine, which may be a sign that the CNIL is prioritising the provision of much-needed guidance to the market on the many passages of the GDPR that are open to different, and even conflicting, interpretations, over wielding the axe of 4% of annual global turnover for breaches of the rules.
Where the industry will need to respond to this Decision is around the need to make descriptions of data processing purposes simple and easy for users to understand while also meeting the GDPR standard of “specific”.
The five TCF purpose definitions are currently being revised to take account of feedback received from the CNIL and others during the summer. Some DPAs want more granularity, which arguably means less ease of comprehension for users, while some want less, on the basis that a straight-up choice of “tracking” or “no tracking” would be more meaningful for users.
Similarly, it is going to take time to come up with the technical means to ensure that individual third parties further up the value chain have the ability to independently verify that the consent they receive, via consent strings, has been obtained validly by the first-party requesting consent on their behalf.
This first shot across the bows from the formidable Isabelle Falque-Pierrotin, CNIL Chair, previous Chair of the Article 29 Working Party of DPAS and inveterate critic of digital advertising, feels like a constructive attempt to nudge the industry in a direction that will contribute to its sustainability.
Crucially, the action reaffirms the relevance of the IAB Europe Transparency & Consent Framework (TCF), an open-source standard developed to help first and third parties ensure their data processing for ad delivery and measurement is GDPR-compliant. And it provides some much-needed guidance about how we can make the TCF more robust.
That is certainly the spirit in which we will be assimilating its implications over the coming weeks.
Townsend Feehan is CEO of IAB Europe