On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.

 

Vectaury is an advertising network that buys online advertising space on behalf of its customers (advertisers).  The company also offers a software tool that advertisers can integrate into their apps to collect geolocation data and information on the device and browser of users.  The company analyses this data, compares it with certain geographic points of interest (e.g., physical stores) and creates profiles of users’ habits.  Based on these profiles, the company organizes targeted advertising campaigns on behalf of advertisers.  It also tracks users while they are in the physical stores of the advertisers in order to assess the effectiveness of advertising campaigns.

 

The consent mechanism offered by the apps provided a short notice explaining that the application collects the users’ browser history and geographic location for the purpose of targeted marketing.  It offered users three options: to accept, to refuse or to customize their preferences.  According to the CNIL, the consent collected through the tool does not comply with three of the GDPR requirements for consent.

 

  • First, the CNIL found that the consent was not informed because the information provided was unclear, used complex terms, and was not easily accessible (particularly the list of the third-party entities receiving the data).

 

  • Second, the consent obtained at the time of the installation of the application was not sufficiently specific because it only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.

 

  • Third, the CNIL pointed out that the consent obtained through the tool was not based on an affirmative action. Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.

 

During the CNIL’s investigation, Vectaury implemented the “Consent Management Platform” tool developed by the Interactive Advertising Bureau.  However, the CNIL found that the information provided and consent obtained by this tool also did not meet the requirements for consent set out by the GDPR.

 

This is yet another enforcement action by the CNIL against an online marketing company, and the high standard applied by the CNIL is something to be reckoned with. Although Vectaury had a consent experience in place, allowed users to refuse to give their consent, and even provided granular preferences to the user, this was still not enough.  Interestingly, as on previous occasions, the CNIL does not seem to have investigated the advertisers who have incorporated these tools in their apps.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.