French data regulator’s mobile ad action rattles ad tech
French data protection authority CNIL has given French mobile ad location vendor Vectaury three months to expunge its data and get its business properly compliant with the General Data Protection Regulation.
The announcement, which was posted earlier this month, has triggered alarms among some publishing and ad tech executives as to what the ruling signals for the ad tech model. Several executives took to Twitter over the weekend to highlight some of the more wide-ranging consequences the ruling could potentially have for Google, the Interactive Advertising Bureau’s Transparency and Consent framework, and ad tech in general.
“It is a significant decision, with the potential to disrupt the ad tech model,” said a publishing executive who is still assessing the ramifications of the announcement.
Vectaury’s predicament has led some vendors to frantically double-check their own compliance processes, even those who were previously certain they were in the clear.
“There will be a lot of GDPR consultants starting to find a second wind,” said Andrew Buckman, managing director for Europe, the Middle East and Africa, for ad tech vendor Sublime. “Many businesses will be looking back at their integrations and implementation strategies in detail, including us.”
Others believe CNIL’s ruling, which follows two previous warnings to ad tech vendors Teemo and Fidzup, is a warning shot across the bow of the entire ad tech industry.
So far, the lack of widespread GDPR fines issued has either prompted puzzlement from industry executives or triumph from others keen to latch on to how the law has turned into another Y2K.
For Vectaury however, which will potentially have to purge more than 42 million advertising identifiers collected from over 32,000 apps, via bid requests, the business ramifications could be as severe as any fine.
“There is a school of thought that expunging your data is as damaging as getting a fine,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe. “If you have a data-driven business model and it depends on profiles and the collection of data — it means you have to start from scratch.”
Wollen, who has spent the last six years deep in the GDPR weeds, believes the industry hasn’t done nearly enough to pacify regulators. Too many publishers still rely on assumed consent — where a user clicking through to an article, without checking an “I consent” button, is classified as consent, while many vendors have also skirted details, according to Wollen. All in order to prevent digital ad revenues dropping.
“We as an industry are not recognizing the appetite for change and the position we’re in. We’re moving a step in the right direction, then clinging to that, and patting ourselves on the back, but what’s expected [by regulators] is a colossal leap forward,” added Wollen. “What we’re doing as an industry is like waving a red bag to a bull — the bull being the regulator. We have got to show the regulators we understand we need to change not just maintain the status quo.”
Mobile location vendors have always been in the hot seat when it comes to GDPR. They typically create audience segments using data pulled from bid streams: a no-no under GDPR without consent. Vectaury was pulled up by CNIL for collecting geolocation data from people using its software development kit embedded in mobile apps without properly informing them what they were giving permission for. The regulator determined that the company hadn’t obtained the necessary permission from users required under GDPR law. CNIL also criticized Vectaury for presenting users with pre-ticked boxes for consent — also against GDPR terms.
What was a more surprising statement from CNIL, and which started tongues wagging about the potential shakiness of the IAB Europe Transparency and Consent framework, was related to contractual agreements.
The regulator determined that a company cannot assume consent based on a contractual relationship. In other words, if a business deemed a controller under GDPR law has agreed to gain user consent on behalf of one of its digital ad partners which will use it for personalized ad targeting, the processor must verify that the consent has been obtained in a way that’s GDPR-bulletproof. Relying on a contractual agreement that stipulates all consent is bona fide won’t fly, according to CNIL.
The CNIL statement read: “The obligation imposed by Article 7 cannot be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”
The IAB Europe was quick to reinforce that it has always followed the same premise, and is pushing forward with ways to help businesses deemed processors under GDPR law, verify obtained consent.
Easier said than done, however. Matthiesen conceded that more work is required on the framework to ensure it can provide companies with that level of certainty. In time, the IAB Europe will also audit CMPs to ensure that signals sent to vendors represent legally valid consent, he added. Currently, the IAB doesn’t dictate the exact user experience for CMPs, only baseline guidelines.
“We took note of the CNIL’s opinion that the standardized definitions of the purposes for processing are not easily comprehensible for users and are working on improving the clarity of these definitions,” added Matthiesen.
How The 19th relied on memberships and funding to launch during a pandemic
In order to keep on schedule to launch ahead of the U.S. presidential election, non-profit publisher The 19th had to rely heavily on membership and fundraising to meet its launch goal of $4 million.
‘Let the buyers know you exist’: How Morning Brew plans to grow brand ad dollars from its base of direct response
Direct-response ads accounted for 90% of Morning Brew's 2019 revenue in 2019. Its CEO wants brand advertising to account for 50% by the end of 2021.
‘A significant uptick in deal flow’: Why Europe is becoming a hotbed of ad tech innovation
Ad tech companies with data privacy and identity solutions are in vogue among the sector's investors and acquirers.
SponsoredPublishers: Assessing risk and ensuring payments in times of crisis
As the industry navigates the continued impacts of COVID-19, here’s the questions publishers should ask their programmatic partners or ad management providers to protect themselves from clawbacks and lost revenue.
‘We can be agile and evolve’: News UK is quickly growing a 7-figure incremental revenue stream from social video
The goal for Social Studio is a 10-day turnaround from campaign booking to going live.
Lack of events revenue squeezes B2B media, forcing virtual volume — and innovation
Advertising, subscriptions and commerce have begun to recover. But events have not, and B2B media companies are feeling the squeeze.