By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses
Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here). The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”). The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.
Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users. The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors). They then provide advertising in the form of pop-ups to the app users. Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address). Both companies relied on user consent obtained by the app operator to process the personal data they collected. The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.
The CNIL concluded that the consent obtained did not meet the requirements of the GDPR. Under the GDPR consent must be “freely given, specific, informed and unambiguous”. According to CNIL, the consent obtained did not meet any of these requirements.
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings