And What Steps You Can Take Today to Collect Valid User Consent

The French data protection authority (CNIL) has recently closed three cases (with companies Teemo, Fidzup and Singlespot) and issued a formal notice last month against Vectaury – four French small ad-tech companies focusing on providing ad targeting and marketing services based on geolocation data to retailers. The four cases looked into the validity of consent collected from mobile app users for the collection and processing of their geolocation data for ad targeting purposes.

What were the basic facts in those cases? 

The ad-tech company was partnering with an app publisher (retailer in most cases) to provide ad targeting and marketing solutions. The ad-tech company had an SDK which integrated into their customers’ apps to collect the app user’s geolocation data, which were then transmitted to the ad tech company for ad targeting purposes, and in some cases real time bid requests. The CNIL examined whether the users’ consent was validly collected for that purpose and found that it was not because consent of the user was not informed, not specific, not freely given, and/or not given by an affirmative action. The first three cases were closed after the company updated their consent collection method, which the CNIL further considered to meet GDPR requirements.

The most recent notice against Vectaury received more attention as it involved the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (IAB TCF). The notice also provides the highest level of details with respect to both the facts and the analysis.

Vectaury Case

CNIL’s Findings

The CNIL found that user consent for data processed by Vectaury for ad targeting purposes was not valid because it was not informed, not specific, and not given by an affirmative action.

It also found that Vectaury had no legal basis for the processing of personal data received from bid requests as it was not able to demonstrate it had obtained user’s consent other than by a showing of a contractual provision requiring the SSP to obtain user consent – which the CNIL deemed insufficient.

CNIL’s notice

 

What This Means in Practice

The Vectaury’s decision can help ad-tech vendors and other organizations understand the CNIL’s expectations for collecting valid consent in mobile apps for ad targeting purposes. Below are several key takeaways we got from those four cases.

1. The built-in mobile app consent prompts are not sufficient for consent

Relying on standard iOS and Android consent is not sufficient. The prompts did not specify the collection and processing of location data for marketing and ad targeting nor made available in an easily accessible form the list of third party recipients with whom data would be shared.

 2. Specific and easily understandable information must be provided before a user is prompted to express a choice. This should include: 

3. A list of all third parties with whom the data may be shared must be shown to the user in a clear and easily accessible way before h/s is prompted to make a choice (hyperlink or hover over) 

 

 4. Consent of the user must be given by an affirmative action 

All purposes (how data may be used) and with whom it may be shared should be listed separately and be toggled off by default.

 

 5. UI must show user options with “equal weighing”  

6. Companies must maintain records of consent, specifically what the user consented to and when they consented 

This is needed for the company to be able to demonstrate it has valid consent .

How OneTrust Helps

It is critical to work with a well-resourced CMP provider that is highly active in keeping up with regulatory and standards developments, as well as has the engineering and development capacity to update the CMP solutions based on movements in the market.

Over the last year, there has been a proliferation of “free” CMP solutions, some that are offered by ad-tech vendors themselves such as in the case of Vectaury, which often times may not have this specific focus, motivation, and capacity.

OneTrust’s Consent Management Platform (CMP) is staffed by the industry’s largest dedicated engineering team, and the OneTrust team is highly engaged in regulatory conversations and standards development to offer the highest level of confidence for our customers.

For example, OneTrust was the first commercial CMP to support the IAB TCF framework, and has a deep level of support for the various capabilities and updates that are being made to IAB TCF. This is inclusive of both mobile app and web support. OneTrust also has the ability to store granular “records of consent”, as well as many other capabilities that are critical based on the learnings from the CNIL decisions referenced.

Additionally, OneTrust has added new configuration options, as well as modified default settings, in order to address the points raised by the CNIL in these decisions. Ultimately, our customers are responsible for using the configuration settings available in OneTrust, interpreting the regulation, and determining their unique risk appetite; however, given that OneTrust is among the most widely used CMP platforms in the world, our team is able to offer significant experience and best practices along this journey.

Current customers can visit myOneTrust for a support article on how to configure their consent solution to meet the standards outlined by the CNIL in its decision.

To get started with OneTrust’s consent solutions, request a free trial or get started with a free edition of our solutions.