French data regulator’s mobile ad action rattles ad tech
French data protection authority CNIL has given French mobile ad location vendor Vectaury three months to expunge its data and get its business properly compliant with the General Data Protection Regulation.
The announcement, which was posted earlier this month, has triggered alarms among some publishing and ad tech executives as to what the ruling signals for the ad tech model. Several executives took to Twitter over the weekend to highlight some of the more wide-ranging consequences the ruling could potentially have for Google, the Interactive Advertising Bureau’s Transparency and Consent framework, and ad tech in general.
“It is a significant decision, with the potential to disrupt the ad tech model,” said a publishing executive who is still assessing the ramifications of the announcement.
Vectaury’s predicament has led some vendors to frantically double-check their own compliance processes, even those who were previously certain they were in the clear.
“There will be a lot of GDPR consultants starting to find a second wind,” said Andrew Buckman, managing director for Europe, the Middle East and Africa, for ad tech vendor Sublime. “Many businesses will be looking back at their integrations and implementation strategies in detail, including us.”
Others believe CNIL’s ruling, which follows two previous warnings to ad tech vendors Teemo and Fidzup, is a warning shot across the bow of the entire ad tech industry.
So far, the lack of widespread GDPR fines issued has either prompted puzzlement from industry executives or triumph from others keen to latch on to how the law has turned into another Y2K.
For Vectaury however, which will potentially have to purge more than 42 million advertising identifiers collected from over 32,000 apps, via bid requests, the business ramifications could be as severe as any fine.
“There is a school of thought that expunging your data is as damaging as getting a fine,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe. “If you have a data-driven business model and it depends on profiles and the collection of data — it means you have to start from scratch.”
Wollen, who has spent the last six years deep in the GDPR weeds, believes the industry hasn’t done nearly enough to pacify regulators. Too many publishers still rely on assumed consent — where a user clicking through to an article, without checking an “I consent” button, is classified as consent, while many vendors have also skirted details, according to Wollen. All in order to prevent digital ad revenues dropping.
“We as an industry are not recognizing the appetite for change and the position we’re in. We’re moving a step in the right direction, then clinging to that, and patting ourselves on the back, but what’s expected [by regulators] is a colossal leap forward,” added Wollen. “What we’re doing as an industry is like waving a red bag to a bull — the bull being the regulator. We have got to show the regulators we understand we need to change not just maintain the status quo.”
Mobile location vendors have always been in the hot seat when it comes to GDPR. They typically create audience segments using data pulled from bid streams: a no-no under GDPR without consent. Vectaury was pulled up by CNIL for collecting geolocation data from people using its software development kit embedded in mobile apps without properly informing them what they were giving permission for. The regulator determined that the company hadn’t obtained the necessary permission from users required under GDPR law. CNIL also criticized Vectaury for presenting users with pre-ticked boxes for consent — also against GDPR terms.
What was a more surprising statement from CNIL, and which started tongues wagging about the potential shakiness of the IAB Europe Transparency and Consent framework, was related to contractual agreements.
The regulator determined that a company cannot assume consent based on a contractual relationship. In other words, if a business deemed a controller under GDPR law has agreed to gain user consent on behalf of one of its digital ad partners which will use it for personalized ad targeting, the processor must verify that the consent has been obtained in a way that’s GDPR-bulletproof. Relying on a contractual agreement that stipulates all consent is bona fide won’t fly, according to CNIL.
The CNIL statement read: “The obligation imposed by Article 7 cannot be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”
The IAB Europe was quick to reinforce that it has always followed the same premise, and is pushing forward with ways to help businesses deemed processors under GDPR law, verify obtained consent.
Easier said than done, however. Matthiesen conceded that more work is required on the framework to ensure it can provide companies with that level of certainty. In time, the IAB Europe will also audit CMPs to ensure that signals sent to vendors represent legally valid consent, he added. Currently, the IAB doesn’t dictate the exact user experience for CMPs, only baseline guidelines.
“We took note of the CNIL’s opinion that the standardized definitions of the purposes for processing are not easily comprehensible for users and are working on improving the clarity of these definitions,” added Matthiesen.
‘I could barely walk’: Some COVID long-haulers radically reduce work hours to cope with symptoms
Professionals who are COVID long-haulers, have had to radically adjust their working schedules in order to cope with symptoms.
Member ExclusivePublishing Summit Recap: Publishers establish infrastructure to future-proof data sets
Publishers shared insights at the Digiday Publishing Summit at the end of September in Miami.
Dow Jones expands Twitter ad revenue-sharing deal to include more properties and for additional years
Dow Jones is adding Barron's, MarketWatch and Investor's Business Daily to become part of Twitter's Amplify program, which has helped the media company to attract social ad buyers.
SponsoredQuestion of the Day: The state of the holiday season for publishers
The Digiday Publishing Summit brought leaders in the world of media companies together with the platform and technology partners that work with them. Across the course of three days in Miami, in September 2021, experts and executives framed the state of publishing — identifying trends and next steps to follow in the year to come. In […]
Publisher and agency executives scrutinize email-based universal IDs as the third-party cookie’s long-term heir apparent
Email-based universal IDs may improve upon the cookie in some ways, but relying upon the email address can introduce privacy concerns.
Member ExclusiveMedia Buying Briefing: A look at the big topics at the Media Buying Summit this week
Media buyers, planners and clients’ efforts to adapt to a changed world will be addressed in a number of ways at Digiday’s Media Buying Summit in Miami this week.