On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.

 

Vectaury is an advertising network that buys online advertising space on behalf of its customers (advertisers).  The company also offers a software tool that advertisers can integrate into their apps to collect geolocation data and information on the device and browser of users.  The company analyses this data, compares it with certain geographic points of interest (e.g., physical stores) and creates profiles of users’ habits.  Based on these profiles, the company organizes targeted advertising campaigns on behalf of advertisers.  It also tracks users while they are in the physical stores of the advertisers in order to assess the effectiveness of advertising campaigns.

 

The consent mechanism offered by the apps provided a short notice explaining that the application collects the users’ browser history and geographic location for the purpose of targeted marketing.  It offered users three options: to accept, to refuse or to customize their preferences.  According to the CNIL, the consent collected through the tool does not comply with three of the GDPR requirements for consent.

 

  • First, the CNIL found that the consent was not informed because the information provided was unclear, used complex terms, and was not easily accessible (particularly the list of the third-party entities receiving the data).

 

  • Second, the consent obtained at the time of the installation of the application was not sufficiently specific because it only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.

 

  • Third, the CNIL pointed out that the consent obtained through the tool was not based on an affirmative action. Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.

 

During the CNIL’s investigation, Vectaury implemented the “Consent Management Platform” tool developed by the Interactive Advertising Bureau.  However, the CNIL found that the information provided and consent obtained by this tool also did not meet the requirements for consent set out by the GDPR.

 

This is yet another enforcement action by the CNIL against an online marketing company, and the high standard applied by the CNIL is something to be reckoned with. Although Vectaury had a consent experience in place, allowed users to refuse to give their consent, and even provided granular preferences to the user, this was still not enough.  Interestingly, as on previous occasions, the CNIL does not seem to have investigated the advertisers who have incorporated these tools in their apps.

Tags: Advertising Networks, CNIL, Consent, Data Protection, European Union, GDPR, GDPR consent, Geolocation data, Online Marketing, Targeted Advertising
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less