On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.


Vectaury is an advertising network that buys online advertising space on behalf of its customers (advertisers).  The company also offers a software tool that advertisers can integrate into their apps to collect geolocation data and information on the device and browser of users.  The company analyses this data, compares it with certain geographic points of interest (e.g., physical stores) and creates profiles of users’ habits.  Based on these profiles, the company organizes targeted advertising campaigns on behalf of advertisers.  It also tracks users while they are in the physical stores of the advertisers in order to assess the effectiveness of advertising campaigns.


The consent mechanism offered by the apps provided a short notice explaining that the application collects the users’ browser history and geographic location for the purpose of targeted marketing.  It offered users three options: to accept, to refuse or to customize their preferences.  According to the CNIL, the consent collected through the tool does not comply with three of the GDPR requirements for consent.


  • First, the CNIL found that the consent was not informed because the information provided was unclear, used complex terms, and was not easily accessible (particularly the list of the third-party entities receiving the data).


  • Second, the consent obtained at the time of the installation of the application was not sufficiently specific because it only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.


  • Third, the CNIL pointed out that the consent obtained through the tool was not based on an affirmative action. Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.


During the CNIL’s investigation, Vectaury implemented the “Consent Management Platform” tool developed by the Interactive Advertising Bureau.  However, the CNIL found that the information provided and consent obtained by this tool also did not meet the requirements for consent set out by the GDPR.


This is yet another enforcement action by the CNIL against an online marketing company, and the high standard applied by the CNIL is something to be reckoned with. Although Vectaury had a consent experience in place, allowed users to refuse to give their consent, and even provided granular preferences to the user, this was still not enough.  Interestingly, as on previous occasions, the CNIL does not seem to have investigated the advertisers who have incorporated these tools in their apps.