CNIL closes the investigation of mobile ad tech company Vectaury
CNIL claimed the company uses technical tools within the SDK embedded in the mobile application code of its partners. Such tools allow it to collect data from users of mobile devices even when these applications do not work. The embedded tools makes it possible to collect the advertising identifier of the mobiles devices geolocation data. These data are then cross-referenced with points of interest determined by the partners (store signs) to display targeted advertising on user's terminals from the places they visited. Vectaury also processes, for profiling purposes and advertising targeting, geo-location data that it receives via real-time bidding offers initially transmitted in order to allow the company to purchase advertising space.
At the time, CNIL took issue with Vectaury consent gathering mechanism regarding SDK data, mainly because : 1. The users are not reasonably informed that SDK tools collect their data when the application is downloaded; 2. It is not always possible to download the application without activating the data collecting tools. and 3. Geolocation data collection was enabled by default; 4. The users were not informed that her data will be used for real-time auction offers for ad-space and 5. User consent was not gathered until the user's personal data was used for advertising profiling. The DSP had collected at the time of the notice more than 42 million ad IDs and geolocation data from more than 32,000 partner apps. The initial notice can be viewed here.
On February 25th, 2019, CNIL issued a a decision to close the investigation on Vectaury (which can be viewed here in French), where CNIL took note of the company's new presentation of the contextual window allowing the collection of the consent of the users of the applications of your partners, integrating from now on a presentation of each purpose in first instance, accompanied by a User opt-in button to express consent. CNIL also take note of the presence of three buttons offered to the user to enable him to refuse all the purposes, to accept all the purposes, or to record the choices made from the mentioned buttons.
This decision appears to rely heavily on the meeting Vectaury had with CNIL on February 1st, 2019, where Vectaury apparently promised to use only the personal data of users whose consent has been validly gathered and verified. CNIL warned further enforcement actions should the non-compliance persist.
While it is unlikely CNIL looked into whether all of the Vactaury's mobile partners had implemented the changes to the Consent Management Platform the decision refers to, it provides context as to what CNIL considers acceptable methods of gathering valid consent in the digital advertising market.
You may find below a comparison (translated from French) between a non-compliant consent statement and an example of what consent narrative CNIL seems to agree with regarding Vectaury. Of course, the example is provided for educational purposes only as it relates to the Vectaury case.
For questions regarding consent gathering mechanisms under GDPR or CCPA and internal procedures regarding the use of valid user consent, please contact Alex Popescu.
GDPR non-compliant consent statement:
General example of consent narrative following CNIL's latest determinations (translated from French):
This Blog/ Website is made available by Intel Lex for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog you understand that there is no attorney-client relationship between you and Intel lex. The Blog/Web Site or any specific material contained herein should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.