Explicit Consent failures in Global Adtech industry
Six months into the GDPR and the advertising industry still struggles to ensure proper consent is given for tracking technologies.
Online publishers are continuing to serve personalised ads without obtaining explicit consent, despite GDPR laws. This is potentially leaving publishers and ad exchanges vulnerable to financial penalties imposed by the Information Commissioner’s Office (ICO).
In a recent case, the French data protection and privacy regulator (CNIL) ordered advertising startup company Vectaury to delete all data it collected about mobile users, without proper consent. The firm was also ordered to set up an informed and specific consent process within 3 months.
The consequences are likely to be harsh, if Vectuary does not take immediate remedial action. CNIL will take further measures, such as punitive fines, potentially eating into the €20 million Vectuary raised during the previous month.
CNIL’s decision has sent waves of shock and concern across the AdTech industry worldwide.
According to the GDPR, consent is defined in Article 4(11) as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
– Information Commissioner’s Office: “What is valid consent“
Nice try, but still not “Explicit Consent”
Vectaury successfully got its mobile advertising program into 32,000 mobile apps. Quite a feat considering there are some 42 million users. The users of these apps agreed to terms they probably didn’t read, to track their location at all times. Their details are sent to unnamed advertising partners without their explicit consent.
Basically, users have 3 options. They could choose Install, Cancel (and not install the app), or Settings. This is where the more knowledgable user could uncheck some of the pre-checked boxes.
When users installed the app, Vectaury’s SDK (code within the app) starts tracking users’ every move. Then a retailer’s advertisement is displayed the moment they visit an online store. Alternatively, advertisers can bid in real-time for placing their ad on users’ screens, based on their location and profile.
Not impressed by lack of proper consent
CNIL took a dim view of this. They ruled on the following 7 discrepancies:
- Vectuary’s SDK were not disclosed in the Terms which users agreed to.
- There was no separation between the app and the SDK, which could allow use of the app without agreeing to advertising
- Vectuary’s identity was not disclosed
- Data was collected regardless of the user’s choice
- There no valid legal basis for the processing of personal data
- People’s liberties were at risk by revealing their movements and lifestyle
CNIL determined that users were unaware of risks to their privacy and were not able to exercise their GDPR rights. Therefore, whatever consent Vectuary claimed was given, it was not informed, and not specific. Moreover, it was not affirmative as consents should be according to the GDPR.
The bottom line was that without explicit consent, the company must delete whatever personal data it has collected.
When the GDPR was announced in 2016, Vectuary had already appointed a Data Privacy Officer (DPO). The company duly implemented a Consent Management framework, developed by IAB Europe, to comply with the GDPR.
However, despite the firm’s best efforts, CNIL said Vectuary does not gain proper consent. IAB Europe also said the firm not only failed to comply with GDPR, but also violated IAB’s own policies. The consequences for Vectuary? They must undergo a second investigation – this time by IAB Europe, who could potentially impose their own penalty.
- When consent is assumed – but not actually given
- What Does the CNIL Decision Mean for the AdTech Industry?