By: Yoram Lichtenstein, Esq. CIPP/E certified for privacy and data protection in Europe
A relatively new decision (from 9.11.2018) by the National Commission for Computing and Liberties (the CNIL) should raise the attention of any digital marketing company and agency. This is a deterrent step against the digital advertising agencies. The decision validates the GDPR regulations (the General Data Protection Regulation in Europe). This is a substantial fine on an advertising agency in France, for not meeting with the standard.
Before I continue I wish to refer your attention to the fact that the European Data Protection Board (EDPB) only recently published (not final) guidelines to expand our understanding about the extent of application of GDPR on companies and/or any activities outside Europe. It is important to know them.
The French Vectaury agency published online advertising media for its clients. The agency offered its clients to integrate SDK in the applications in order to assist the collection of various data from their users, for the clients. The SDK collected data from the users’ devices also when the application was inactive. The data collected included device IDs, browser IDs, geolocation data, and behavioral data from specific devices. It is important to mention that the apps (in which the SDK was embedded) were activated by the agency’s clients and not by the agency itself.
The data were resent to the agency for analysis. Then, it was used to create unique profiles for every device, based on its behavior and various locations. The profile included plenty of private data. For instance: what type of device is it (sophisticated or simple), which specific stores did every device visit, when did it visit them, how long it stayed there etc. This enabled the company to create profiles that map the clients’ habits. Based on these profiles, the SDK provided information to targeted advertising platforms.
The CNIL did not like the way this company acted. After reviewing the issue it sent a formal notice, obliging the company to correct its ways or to suffer substantial fines. For its defense, the company argued the French National Commission for Computing and Liberties, that the data were collected subject to the consent of their subjects. This raised no controversies. However, the CNIL determined that the manner of achieving the consent for data collection does not meet the requirements of the GDPR. This teaches us how the European privacy protection authorities view the way in which the users should be informed that data is collected about them, and how their consent should be requested.
First and foremost, when the user downloads the app to his mobile device, if he fails to receive n clear update that the app gathers geolocation data this is a violation of the GDPR regulations. Also, if the user does not receive a proper notice about the objectives of using the data, who is the collecting party and to whom will this data be transferred – this is also a violation of the regulations. These details were presented in the terms of use document, but it was determined that such presentation is insufficient. The data are exposed to the user only after the data was saved and processed, and not before (as is required by European standards), and not as clearly and transparently as it should.
Additionally, it is impossible to use the app without providing authorization for data collection and moreover, the user cannot regret providing this authorization. Any use of the app automatically sends data to the company, without any cancellation option. This denies the user the right to choose and refuse, that must be granted, according to the GDPR.
Also, the European Authority for Privacy and Data Protection learned that the users receive no explanation that the data about them will serve the system to “provide real time price bids and to define a business profile”. The app used a more general phrasing. Therefore, the description of data use was also not clear and granular enough, as required by the regulation.
Another point that rises is the automatic geolocation data collection, set as default. This is a step that stands against the privacy by default principle by the GDPR and therefore, also this element was disqualified.
The SDK was installed in over 32,000 apps, and the data collection regarded more than 42 million device IDs and geolocation data. It was determined that such processing is of a large capacity and the risk it entails is relatively severe.
In view of the primary enforcement stages of the GDPR in Europe the agency was not fined, but given a warning and an amendment request within three months from the date of the decision. Otherwise, it will be fined.
This decision is a warning sign and an important milestone for all those working in digital marketing. This decision helps us to understand how it is expected form digital advertising companies and agencies to act about updating the users when gathering data about them. And the way to receive their authorization for data collection.
It is important to understand that the digital area, and digital marketing, is subject to specific inspection by the authorities in Europe and it is best not to think low of this inspection. I will be happy to answer your questions on the matter.
About the Author: Yoram Lichtenstein, Esq.
The Yoram Lichtenstein Law Firm, CIPP/E certified for privacy and data protection in Europe, is an innovative boutique professional law firm. The law firm takes pride in its ability to find the optimal solutions, while maintaining personal and tight service, professionalism and innovation regarding internet laws, technology, hi-tech, computers and diverse spiritual property (such as copyrights, trademarks, domain names and e-commerce).
For more information about the Yoram Lichtenstein Law Firm
