Targeted advertising companies receive GDPR notices
Richard Kranendonk
?? The Canvas Method: Empowering Ownership of Information Security
French privacy authority CNIL (Commission nationale de l'informatique et des libertés) has taken aim at four companies in the advertising ecosystem: Fidzup, Singlespot, Teemo and Vectaury, all of which are in the business of driving in-store traffic, by collecting location data from consumer's smartphones and combining that with other data sets.
The companies had not obtained valid consent from the customers
The companies had not obtained valid consent from the customers, in other words: they collected, processed and sold their data without them giving explicit permission to do so, or even being aware of it. According to article 4 of the GDPR, consent should be given freely, specific, informed and unambiguous.
The companies offered retailers software building blocks for their mobile apps, known as SDK's or Software Development Kits, through which the consumers would automatically share their location data with these advertising companies. The consumers where not informed of this and could not opt-out: using the retailer's app meant handing over their data by default, which is a GDPR violation in itself.
Next, to sell ad space, the consumer data was put op for sale through real-time auction platforms. In one case an intermediary used the data transferred by the bidding platform to enrich its own database [source].
The CNIL considered that the retailers needed to properly inform users of their app, by a pop-up window asking for consent through opt-in. Proceedings against three of the four companies were ultimately put to end after they complied with this. The investigation against Vectaury is still pending. They have been given three months to comply or face sanctions.
Key Take-Away Points
For me, there are several take-away points in this. First, there seems to be consensus amongst the different national authorities about their priorities in GDPR enforcement: the Dutch Autoriteit Persoonsgegevens has implicated their top areas of interest are profiling, automated decision making, combination of data sets, and the processing of location data – see my earlier article (in Dutch).
Organisations should not be afraid of fines after a single infringement or mistake
Second, the companies involved first received public formal notices, and after complying, procedures where dropped. Organisations should not be afraid of being slapped with the feared €20 million or 4% of annual turnover fine, after a single infringement or mistake (I know several US companies who've halted their activities in the EU for fear of this). What they should be afraid of, is their reputation: these are public notices. And although I doubt the companies in this case care much, the retailers with the customer facing apps should!