In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo1 and Fidzup2—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.3 The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,4 as it considered that its updated practices now comply with the GDPR.5 The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR.

Background

Teemo and Fidzup provide location-based marketing solutions via a software development kit (SDK) integrated into publishers’ apps. The SDK collects location data, advertising ID, or media access control (MAC) address from users’ mobile devices and matches this information with the location of retailers, so that users see location-based ads when passing a store.

After downloading an app that integrates Teemo’s or Fidzup’s SDK, users are provided with a pop-up asking whether they wish to allow the app to collect their location data. The pop-up does not indicate that location data will be used for profiling and advertising purposes,6 nor that location data will be shared with Teemo or Fidzup. The CNIL audited both Teemo and Fidzup in 2017 and issued formal notices concluding that such consent is not sufficient to process location data for profiling and targeted advertising purposes.

The CNIL followed the approach adopted by the European Data Protection Board7 and concluded that consent is only valid if individuals are presented with information prior to providing consent including, at a minimum, the purpose(s) of the processing, the types of data collected, and the name of the company on whose behalf the data is processed. Consent must also be obtained via an affirmative action (e.g., click on “I agree” button) and cannot be hidden in the privacy policy or other terms.

What Did the CNIL Say?

The CNIL concluded that users’ consent was not valid for a number of reasons:

  • Consent is not informed. Users only received notice after downloading the app and once the data collection had already started. According to the CNIL, such consent is not informed and the SDK should not collect any location data prior to providing notice and obtaining consent from the users.
  • Consent is not freely given. The CNIL noted that apps using Teemo and Fidzup are not offered without the SDK and, as a consequence, users are forced to agree to the processing of their location data to be able to use those apps. The CNIL concluded that such consent is not freely given as users are not provided with a real choice.
  • Consent is not specific enough. The CNIL considered that the consent was not specific enough, since the pop-up asking for consent did not indicate (i) the specific purpose(s) of the processing (i.e., profiling and targeted advertising) or (ii) the fact that location data is shared with a third party, such as Teemo or Fidzup. According to the CNIL, the language used to obtain consent needs to clearly indicate that location data is collected for profiling and targeted advertising purposes and that it will be processed by Teemo or Fidzup.

In addition, the CNIL reviewed the data retention practices of both companies and considered that Teemo’s retention period of 13 months was beyond what is necessary for the profiling and targeted advertising purposes. On the other hand, the CNIL did not raise an issue with the three-month retention period applied by Fidzup.

In response to the CNIL’s formal notice, Teemo modified its practices. Publishers using Teemo’s SDK must now show a banner to users at the time of the app installation—and before starting to collect the data—to obtain their consent for the use of their location data and advertising ID for location-based advertising purposes. The banner indicates the categories of data controllers (i.e., location-based marketing companies and their marketing partners) and links to a list with the names of the actual controllers. Users are also informed of their right to withdraw consent at any time and provided with a link to obtain more information about these rights and data retention. If users don’t consent to the processing of their location information, they can still use the app. In addition, Teemo set a new retention policy for location data in three stages: at each stage, the data is rendered less and less precise in order to be kept for a longer period of time. The CNIL closed the case concluding that Teemo has successively complied with the GDPR. At the time of publication of the article, there was no information available on whether Fidzup would modify its practices in accordance with the CNIL formal notice.

What Does This Mean in Practice?

The GDPR triggered the obligation for companies to review their data processing activities and—among others—to assess whether their consent practices meet the stringent GDPR requirements. As a result, companies have implemented more specific consent flows. In the context of online behavioral advertising (OBA), this has led to more detailed cookie banners, and sometimes even cookie walls that list in detail the purposes and the third party data recipients. We expect this trend to continue, in particular as regulators review companies’ consent practices in light of the GDPR requirements.

In addition, the EU rules on cookies and similar technologies included in the e-Privacy Directive—a separate legislation that complements the GDPR—is currently under review, and will soon be replaced by an ePrivacy Regulation.8 The new ePrivacy Regulation will impose additional restrictions on the use of cookies and similar technologies. While it is unlikely to be adopted before the end of 2019 (with an effective date one year after its adoption), companies operating in the OBA sector or providing tailored advertisements on their websites or apps should closely monitor the developments related to the ePrivacy Regulation.

WSGR will continue to monitor the news and update you on any significant developments.

[A note from the article’s authors Cédric Burton and Rossana Fol.9]

1 See CNIL, decision n° MED 2018-022 from June 25, 2018 regarding Teemo, at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037217051.

2 See CNIL, decision n° MED 2018-023 from June 25, 2018 regarding Fidzup, at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037217124&fastReqId=1928029948&fastPos=4.

3 See CNIL’s press release from July 19, 2018, available at https://www.cnil.fr/fr/applications-mobiles-mises-en-demeure-absence-de-consentement-geolocalisation-ciblage-publicitaire.

4 See CNIL, decision from October 3, 2018 closing decision n° MED 2018-022 regarding Teemo, available at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037460321&fastReqId=1007310657&fastPos=1.

5 See CNIL’s press release from October 4, 2018, available at https://www.cnil.fr/fr/applications-mobiles-cloture-de-la-mise-en-demeure-lencontre-de-la-societe-teemo.

6 However, Teemo recommends to publishers to indicate that location data may be used to provide the user with content that meets his/her expectations.

7 Guidelines on Consent under Regulation 2016/679 (wp259rev.01), p. 13, available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.

8 See our WSGR Alert “New EU e-Privacy Regulation: European Parliament Committee Publishes Draft Report” (June 23, 2017), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-e-privacy-regulation-0617.htm.

9 The authors are grateful for the assistance of Anna Lytra.