French data regulator’s mobile ad action rattles ad tech
French data protection authority CNIL has given French mobile ad location vendor Vectaury three months to expunge its data and get its business properly compliant with the General Data Protection Regulation.
The announcement, which was posted earlier this month, has triggered alarms among some publishing and ad tech executives as to what the ruling signals for the ad tech model. Several executives took to Twitter over the weekend to highlight some of the more wide-ranging consequences the ruling could potentially have for Google, the Interactive Advertising Bureau’s Transparency and Consent framework, and ad tech in general.
“It is a significant decision, with the potential to disrupt the ad tech model,” said a publishing executive who is still assessing the ramifications of the announcement.
Vectaury’s predicament has led some vendors to frantically double-check their own compliance processes, even those who were previously certain they were in the clear.
“There will be a lot of GDPR consultants starting to find a second wind,” said Andrew Buckman, managing director for Europe, the Middle East and Africa, for ad tech vendor Sublime. “Many businesses will be looking back at their integrations and implementation strategies in detail, including us.”
Others believe CNIL’s ruling, which follows two previous warnings to ad tech vendors Teemo and Fidzup, is a warning shot across the bow of the entire ad tech industry.
So far, the lack of widespread GDPR fines issued has either prompted puzzlement from industry executives or triumph from others keen to latch on to how the law has turned into another Y2K.
For Vectaury however, which will potentially have to purge more than 42 million advertising identifiers collected from over 32,000 apps, via bid requests, the business ramifications could be as severe as any fine.
“There is a school of thought that expunging your data is as damaging as getting a fine,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe. “If you have a data-driven business model and it depends on profiles and the collection of data — it means you have to start from scratch.”
Wollen, who has spent the last six years deep in the GDPR weeds, believes the industry hasn’t done nearly enough to pacify regulators. Too many publishers still rely on assumed consent — where a user clicking through to an article, without checking an “I consent” button, is classified as consent, while many vendors have also skirted details, according to Wollen. All in order to prevent digital ad revenues dropping.
“We as an industry are not recognizing the appetite for change and the position we’re in. We’re moving a step in the right direction, then clinging to that, and patting ourselves on the back, but what’s expected [by regulators] is a colossal leap forward,” added Wollen. “What we’re doing as an industry is like waving a red bag to a bull — the bull being the regulator. We have got to show the regulators we understand we need to change not just maintain the status quo.”
Mobile location vendors have always been in the hot seat when it comes to GDPR. They typically create audience segments using data pulled from bid streams: a no-no under GDPR without consent. Vectaury was pulled up by CNIL for collecting geolocation data from people using its software development kit embedded in mobile apps without properly informing them what they were giving permission for. The regulator determined that the company hadn’t obtained the necessary permission from users required under GDPR law. CNIL also criticized Vectaury for presenting users with pre-ticked boxes for consent — also against GDPR terms.
What was a more surprising statement from CNIL, and which started tongues wagging about the potential shakiness of the IAB Europe Transparency and Consent framework, was related to contractual agreements.
The regulator determined that a company cannot assume consent based on a contractual relationship. In other words, if a business deemed a controller under GDPR law has agreed to gain user consent on behalf of one of its digital ad partners which will use it for personalized ad targeting, the processor must verify that the consent has been obtained in a way that’s GDPR-bulletproof. Relying on a contractual agreement that stipulates all consent is bona fide won’t fly, according to CNIL.
The CNIL statement read: “The obligation imposed by Article 7 cannot be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”
The IAB Europe was quick to reinforce that it has always followed the same premise, and is pushing forward with ways to help businesses deemed processors under GDPR law, verify obtained consent.
Easier said than done, however. Matthiesen conceded that more work is required on the framework to ensure it can provide companies with that level of certainty. In time, the IAB Europe will also audit CMPs to ensure that signals sent to vendors represent legally valid consent, he added. Currently, the IAB doesn’t dictate the exact user experience for CMPs, only baseline guidelines.
“We took note of the CNIL’s opinion that the standardized definitions of the purposes for processing are not easily comprehensible for users and are working on improving the clarity of these definitions,” added Matthiesen.
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
SponsoredHow advertisers are leveraging omnichannel attribution and measurement to power CTV
Sponsored by MNTN Connected TV advertising has joined and expanded the larger ecosystem of campaigns that advertisers deploy. As such, omnichannel marketing strategies now encompass television and mobile devices, tablets and other screens such as out-of-home. And as customers engage across these different touchpoints, brands are seeking and moving their measurement and analytics efforts to […]
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?
‘The next level for us’: The New York Times eyes better retention for games in subscription drive
The games division is focusing on finding new ways to mine the inherent competitive nature of games like encouraging people to play multiple games in a single session or through new achievements and rewards for progression.