Mobile Apps, Geo-tracking, Advertising and Consent
The French Data Protection Authority, the CNIL, recent took action against a company using technologies to enable the collection of personal data through mobile applications for the purposes of geographical targeted advertising.
The President of the CNIL commenced action against a company, Vectaury, due its failure to collect the consent of data subjects’ in relation to the processing of their geo localisation data, used for advertising targeting via mobile applications.
The CNIL monitored data processing activities carried out by Vectaury, which used technologies to enable the collection of personal data through multipurpose mobile devices and the creation of advertising campaigns on mobile devices.
Vectaury used SDK tools integrated into the code of mobile apps belonging to its partners. These SDK tools allowed Vectuary to collect users’ data from multipurpose mobile devices even when the partner mobile apps were not running. The SDK tools therefore facilitated the collection of advertising IDs from the mobile devices as well as the geo localisation data of the individual users. This data was then matched with interests determined by the partners owning the apps (such as store brands) in order to display targeted advertising on users' mobile devices the basis of the different locations those users visited.
The CNIL also noted that Vectaury also processes geo localisation data for profiling and advertising targeting which it received from auction bids in real time, initially obtained to allow Vectaury to buy advertising space.
What about the issue of consent for targeted advertising?
The CNIL stated that Vectaury had failed to collect consent from the data subjects concerned. Of course, consent is only one of the 6 lawful bases that allow an organisation to carry out lawful data processing activities (along with legitimate interests, pursuant to a contract, in order to comply with a legal obligation, in the public interest or in the vital interests of the data subject). Of course, with some types of processing, such as profiling and automatic decision making, or when conducting online marketing or when handling sensitive personal data, consent is usually required.
In this case, Vectaury submitted that it processed all personal data with the consent of the relevant data subjects. However, the checks carried out by the CNIL showed that the consent had not been validly collected.
Firstly, in the CNIL's communication of 9th November 2018, the CNIL stated the individual mobile device users were not systematically informed at the time of download of the apps that an SDK tool would be collecting their personal data in relation to their geo-localisation. The CNIL further noted that when the apps are installed, the users are not informed about the purpose of the processing (i.e., the advertising targeting), nor about the identity of the data controller. The information provided in the terms and conditions of use of the apps came only after the data processing had already occurred, but obtaining valid consent presupposes that such information is given to the data subjects prior to the data processing being carried out.
Furthermore, the CNIL noted that it was not possible for the users to download the apps without activating the SDK tool. The CNIL found that the use of the application therefore automatically resulted in the transmission of personal data to Vectaury.
By way of mitigation, Vectaury recently suggested that it could implement a consent-collection mechanism (known as a Consent Management Provider, or CMP) in order to reinforce the provision of timely information to data subjects. However, the CNIL considered that the CMP is not systematically incorporated into all mobile applications. The CNIL therefore considered that the CMP system is not satisfactory, especially since the information given to the user is is not sufficient. Finally, the CNIL noted that the collection of geo-localisation data is activated by default, and is not dependent on the individual users selecting their preferences.
What about consent for the collection of personal data in relation to real time advertising spaces auction bids?
The CNIL's investigation also showed that users' consent was not collected prior to using their personal data for the purpose of advertising profiling. The information given to the user did not explain that the data collected would be used for the purpose of bidding on advertising space in real time, nor that their data would be retained for the purposes of compiling commercial profiles. Similarly to the SDK tool, the CNIL noted that the collection of this data was activated by default, without the user having any possibility to select their preferences.
It is worth noting that the auction bid system for advertising space enabled Vectaury to collect more than 42 million advertising IDs as well as geo-localisation data from more than 32 000 mobile apps. In our world of big data, there must be significant value in the information collected.
The CNIL therefore considered that the SDK tool processing and the real time auction bids represents a risk to the right of personal privacy. Indeed, the data that was collected reveals the daily movements and habits of the individual users, without their consent. On this note, the CNIL reiterated that the processing was carried out without the concerned persons being aware of it and without allowing them to exercise their rights under the GDPR.
Therefore, the CNIL summoned Vectaury: (i) to collect valid consent from all the concerned users; and (ii) to delete all data that it had collected without consent, on order to ensure that Vectaury complies with its obligations under the GDPR.
In relation to these breaches, the President of the CNIL has ordered that Vectaury ensure its compliance with the French Law on Computer Technology and Freedoms (loi « Informatique et Libertés », which implements the GDPR into French law) within three months. The CNIL advised that no further action will be taken if Vectaury becomes compliant with the legal requirements.
In any event, any action brought by the CNIL will be publicised given the nature of the breaches and the number of data subjects concerned and so we impatiently await the outcome of this matter.
It it is worth noting that the CNIL stated that it intends to use the Vectaury case in order to raise awareness of the risks and issues related to this kind of technology and data processing, particularly as regards the number of actors in the chain and how data processing via SDK tools takes place. Should Vectaury fail to render its personal data processing activities compliant, then the next steps will be for the President of the CNIL to seise the subcommittee, which has the power to impose the infamous GDPR sanctions.
Key Learns
Firstly, if you are processing personal data using new technologies, ensure that your data processing practices are up to scratch and are compliant with the GDPR - such as by carrying out a data protection impact assessment, and by building your technology or app to privacy by design principles. If you are engaging a contractor to build technology for you, or you are using third-party plug-ins, then you should also take steps to ensure that your suppliers are able to evidence their GDPR-compliance.
Secondly, where consent is required, ensure that the required information is made available to data subjects before consent is collected and before any personal data is processed. Ensure that consent is granular in respect of each data processing activity, and that users are able to directly and manually activate (and turn off) any data processing and collection functions.
Finally, whilst there may have been some scaremongering earlier this year, at least before the GDPR came into force, the CNIL's approach in this matter shows that supervisory authorities are open to conciliation and prefer to warnings and compliance notices in GDPR issues before immediately resorting to fines and severe sanctions. Nonetheless, as many of you know, 3 months is not a huge amount of time to ensure GDPR-compliance, so there is a lot of merit in ensuring that your personal data practices up to speed before the CNIL (or your national data protection authority knocks at your door).
If you need any specific advice or require any further information about this matter, please contact us here.
Article by Marie Mortreux and Charlotte Gerrish @ Gerrish Legal. Article first published on LinkedIn, December 2018