And What Steps You Can Take Today to Collect Valid User Consent
The French data protection authority (CNIL) has recently closed three cases (with companies Teemo, Fidzup and Singlespot) and issued a formal notice last month against Vectaury – four French small ad-tech companies focusing on providing ad targeting and marketing services based on geolocation data to retailers. The four cases looked into the validity of consent collected from mobile app users for the collection and processing of their geolocation data for ad targeting purposes.
What were the basic facts in those cases?
The ad-tech company was partnering with an app publisher (retailer in most cases) to provide ad targeting and marketing solutions. The ad-tech company had an SDK which integrated into their customers’ apps to collect the app user’s geolocation data, which were then transmitted to the ad tech company for ad targeting purposes, and in some cases real time bid requests. The CNIL examined whether the users’ consent was validly collected for that purpose and found that it was not because consent of the user was not informed, not specific, not freely given, and/or not given by an affirmative action. The first three cases were closed after the company updated their consent collection method, which the CNIL further considered to meet GDPR requirements.
The most recent notice against Vectaury received more attention as it involved the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (IAB TCF). The notice also provides the highest level of details with respect to both the facts and the analysis.
- Vectaury’s SDK allowed the collection of app users’ location data from the app and to transmit it to Vectaury.
- Vectaury had also developed its own consent management platform (CMP) implementing the IAB Transparency and Consent Framework to offer to their clients and collect users’ consent.
- Vectaury was relying on consent for the processing of the user’s geolocation data for ad targeting purposes, as well as for personal data received in real-time bid requests.
The CNIL found that user consent for data processed by Vectaury for ad targeting purposes was not valid because it was not informed, not specific, and not given by an affirmative action.
- Not informed: the CNIL found that the information text displayed to the user upon launching of the app was not transparent enough, as well as too complex, unclear and imprecise. More noteworthy, users were not informed of the identity of the companies with whom their data would be shared before being prompted to make a choice. Access to this information was only available after several clicks and scroll down.
- Not specific: While the user was prompted to provide consent for the processing of its geolocation data, how that information would be used was not clearly explained (e.g. On iOS, a user was notified that location data would be used to inform about local events, but did not specify the use of location data for marketing or ad targeting.)
- Not given by affirmative action: Data processing purposes were pre-ticked to “accept” by default.
It also found that Vectaury had no legal basis for the processing of personal data received from bid requests as it was not able to demonstrate it had obtained user’s consent other than by a showing of a contractual provision requiring the SSP to obtain user consent – which the CNIL deemed insufficient.
- As a result, the CNIL put French startup Vectaury on notice to cease processing of location data for targeted advertisement purposes without a valid legal basis in place and to delete all personal data it obtained without proper consent.
- This data deletion includes: About 5 million Ad ID collected from the SDK and 24 million Ad ID collected via the bid requests Vectaury responded to, and 45 million distinct ones via the bid requests it did not respond to.
What This Means in Practice
The Vectaury’s decision can help ad-tech vendors and other organizations understand the CNIL’s expectations for collecting valid consent in mobile apps for ad targeting purposes. Below are several key takeaways we got from those four cases.
1. The built-in mobile app consent prompts are not sufficient for consent
Relying on standard iOS and Android consent is not sufficient. The prompts did not specify the collection and processing of location data for marketing and ad targeting nor made available in an easily accessible form the list of third party recipients with whom data would be shared.
2. Specific and easily understandable information must be provided before a user is prompted to express a choice. This should include:
- The types of data being collected (e.g. advertising ID and geolocation data)
- The purpose(s) of processing
- Make sure to list each processing separately and to define them
- Information that, at any time, consent can be withdrawn and preferences updated
- Information about their rights under GDPR (right of access, rectify and object) with a link to the privacy notice providing additional details about those rights
- List of third parties with whom data may be shared
- Overall, language explaining consent choices should be clear and precise.
3. A list of all third parties with whom the data may be shared must be shown to the user in a clear and easily accessible way before h/s is prompted to make a choice (hyperlink or hover over)
4. Consent of the user must be given by an affirmative action
All purposes (how data may be used) and with whom it may be shared should be listed separately and be toggled off by default.
5. UI must show user options with “equal weighing”
- Three options should be given to the user after all necessary information has been shown
- I accept it all
- I confirm my choices (if the user has made some modifications, which would mean the user has enabled some purposes such as receiving ads relevant to them based on their location)
- I refuse it all
- All options must be presented in the same way (same square size, font, color etc).
- If the user refuses, the data is not collected and users can still use the app (freely given consent)
6. Companies must maintain records of consent, specifically what the user consented to and when they consented
This is needed for the company to be able to demonstrate it has valid consent .
How OneTrust Helps
It is critical to work with a well-resourced CMP provider that is highly active in keeping up with regulatory and standards developments, as well as has the engineering and development capacity to update the CMP solutions based on movements in the market.
Over the last year, there has been a proliferation of “free” CMP solutions, some that are offered by ad-tech vendors themselves such as in the case of Vectaury, which often times may not have this specific focus, motivation, and capacity.
OneTrust’s Consent Management Platform (CMP) is staffed by the industry’s largest dedicated engineering team, and the OneTrust team is highly engaged in regulatory conversations and standards development to offer the highest level of confidence for our customers.
For example, OneTrust was the first commercial CMP to support the IAB TCF framework, and has a deep level of support for the various capabilities and updates that are being made to IAB TCF. This is inclusive of both mobile app and web support. OneTrust also has the ability to store granular “records of consent”, as well as many other capabilities that are critical based on the learnings from the CNIL decisions referenced.
Additionally, OneTrust has added new configuration options, as well as modified default settings, in order to address the points raised by the CNIL in these decisions. Ultimately, our customers are responsible for using the configuration settings available in OneTrust, interpreting the regulation, and determining their unique risk appetite; however, given that OneTrust is among the most widely used CMP platforms in the world, our team is able to offer significant experience and best practices along this journey.
Current customers can visit myOneTrust for a support article on how to configure their consent solution to meet the standards outlined by the CNIL in its decision.