French data protection authority CNIL has given French mobile ad location vendor Vectaury three months to expunge its data and get its business properly compliant with the General Data Protection Regulation.
The announcement, which was posted earlier this month, has triggered alarms among some publishing and ad tech executives as to what the ruling signals for the ad tech model. Several executives took to Twitter over the weekend to highlight some of the more wide-ranging consequences the ruling could potentially have for Google, the Interactive Advertising Bureau’s Transparency and Consent framework, and ad tech in general.
“It is a significant decision, with the potential to disrupt the ad tech model,” said a publishing executive who is still assessing the ramifications of the announcement.
Vectaury’s predicament has led some vendors to frantically double-check their own compliance processes, even those who were previously certain they were in the clear.
“There will be a lot of GDPR consultants starting to find a second wind,” said Andrew Buckman, managing director for Europe, the Middle East and Africa, for ad tech vendor Sublime. “Many businesses will be looking back at their integrations and implementation strategies in detail, including us.”
Others believe CNIL’s ruling, which follows two previous warnings to ad tech vendors Teemo and Fidzup, is a warning shot across the bow of the entire ad tech industry.
So far, the lack of widespread GDPR fines issued has either prompted puzzlement from industry executives or triumph from others keen to latch on to how the law has turned into another Y2K.
For Vectaury however, which will potentially have to purge more than 42 million advertising identifiers collected from over 32,000 apps, via bid requests, the business ramifications could be as severe as any fine.
“There is a school of thought that expunging your data is as damaging as getting a fine,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe. “If you have a data-driven business model and it depends on profiles and the collection of data — it means you have to start from scratch.”
Wollen, who has spent the last six years deep in the GDPR weeds, believes the industry hasn’t done nearly enough to pacify regulators. Too many publishers still rely on assumed consent — where a user clicking through to an article, without checking an “I consent” button, is classified as consent, while many vendors have also skirted details, according to Wollen. All in order to prevent digital ad revenues dropping.
“We as an industry are not recognizing the appetite for change and the position we’re in. We’re moving a step in the right direction, then clinging to that, and patting ourselves on the back, but what’s expected [by regulators] is a colossal leap forward,” added Wollen. “What we’re doing as an industry is like waving a red bag to a bull — the bull being the regulator. We have got to show the regulators we understand we need to change not just maintain the status quo.”
Mobile location vendors have always been in the hot seat when it comes to GDPR. They typically create audience segments using data pulled from bid streams: a no-no under GDPR without consent. Vectaury was pulled up by CNIL for collecting geolocation data from people using its software development kit embedded in mobile apps without properly informing them what they were giving permission for. The regulator determined that the company hadn’t obtained the necessary permission from users required under GDPR law. CNIL also criticized Vectaury for presenting users with pre-ticked boxes for consent — also against GDPR terms.
What was a more surprising statement from CNIL, and which started tongues wagging about the potential shakiness of the IAB Europe Transparency and Consent framework, was related to contractual agreements.
The regulator determined that a company cannot assume consent based on a contractual relationship. In other words, if a business deemed a controller under GDPR law has agreed to gain user consent on behalf of one of its digital ad partners which will use it for personalized ad targeting, the processor must verify that the consent has been obtained in a way that’s GDPR-bulletproof. Relying on a contractual agreement that stipulates all consent is bona fide won’t fly, according to CNIL.
The CNIL statement read: “The obligation imposed by Article 7 cannot be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”
The IAB Europe was quick to reinforce that it has always followed the same premise, and is pushing forward with ways to help businesses deemed processors under GDPR law, verify obtained consent.
Easier said than done, however. Matthiesen conceded that more work is required on the framework to ensure it can provide companies with that level of certainty. In time, the IAB Europe will also audit CMPs to ensure that signals sent to vendors represent legally valid consent, he added. Currently, the IAB doesn’t dictate the exact user experience for CMPs, only baseline guidelines.
“We took note of the CNIL’s opinion that the standardized definitions of the purposes for processing are not easily comprehensible for users and are working on improving the clarity of these definitions,” added Matthiesen.