By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements.

The consent obtained was not informed because the information on the targeted adverting was provided only after the app was installed.  At that time, the app users’ geolocation data and advertising ID was already collected.  In addition, for existing apps of new customers, the SDK-tool started applying at the time of the next app update, without the users being proactively informed about the modifications to the app’s privacy policy or terms of use.  In the case of Fidzup, the CNIL also found that the information which Fidzup recommended its customers to use in their privacy policy was incomplete because it did not mention targeted advertising or the data controller, Fidzup.

The CNIL found that the app users’ consent was not freely given because the consent obtained to deploy the SDK-tool was bundled with the consent obtained for the other data processing activities of the app operators.  App users were not given the possibility to download a version of the customer’s application without the SDK-tool.

The consent was also found not to be sufficiently specific.  App users were not given the specific option to consent (or not) to the collection and use of geolocation data for targeted advertising.  The app operators obtained one single consent.  This consent covered all the data processing conducted both by the customers and by Fidzup or Teemo.

Finally, CNIL concluded that Teemo’s retention of the geolocation data for 13 months was excessive for the purpose of providing targeted advertising.

At this time, there is no official information as to whether the customers who engaged the companies to insert the SDK-tool in their app and to target their users are under investigation.