French data protection authority CNIL has given French mobile ad location vendor Vectaury three months to expunge its data and get its business properly compliant with the General Data Protection Regulation.
The announcement, which was posted earlier this month, has triggered alarms among some publishing and ad tech executives as to what the ruling signals for the ad tech model. Several executives took to Twitter over the weekend to highlight some of the more wide-ranging consequences the ruling could potentially have for Google, the Interactive Advertising Bureau’s Transparency and Consent framework, and ad tech in general.
“It is a significant decision, with the potential to disrupt the ad tech model,” said a publishing executive who is still assessing the ramifications of the announcement.
Vectaury’s predicament has led some vendors to frantically double-check their own compliance processes, even those who were previously certain they were in the clear.
“There will be a lot of GDPR consultants starting to find a second wind,” said Andrew Buckman, managing director for Europe, the Middle East and Africa, for ad tech vendor Sublime. “Many businesses will be looking back at their integrations and implementation strategies in detail, including us.”
Others believe CNIL’s ruling, which follows two previous warnings to ad tech vendors Teemo and Fidzup, is a warning shot across the bow of the entire ad tech industry.
So far, the lack of widespread GDPR fines issued has either prompted puzzlement from industry executives or triumph from others keen to latch on to how the law has turned into another Y2K.
For Vectaury however, which will potentially have to purge more than 42 million advertising identifiers collected from over 32,000 apps, via bid requests, the business ramifications could be as severe as any fine.
“There is a school of thought that expunging your data is as damaging as getting a fine,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe. “If you have a data-driven business model and it depends on profiles and the collection of data — it means you have to start from scratch.”
Wollen, who has spent the last six years deep in the GDPR weeds, believes the industry hasn’t done nearly enough to pacify regulators. Too many publishers still rely on assumed consent — where a user clicking through to an article, without checking an “I consent” button, is classified as consent, while many vendors have also skirted details, according to Wollen. All in order to prevent digital ad revenues dropping.
“We as an industry are not recognizing the appetite for change and the position we’re in. We’re moving a step in the right direction, then clinging to that, and patting ourselves on the back, but what’s expected [by regulators] is a colossal leap forward,” added Wollen. “What we’re doing as an industry is like waving a red bag to a bull — the bull being the regulator. We have got to show the regulators we understand we need to change not just maintain the status quo.”
Mobile location vendors have always been in the hot seat when it comes to GDPR. They typically create audience segments using data pulled from bid streams: a no-no under GDPR without consent. Vectaury was pulled up by CNIL for collecting geolocation data from people using its software development kit embedded in mobile apps without properly informing them what they were giving permission for. The regulator determined that the company hadn’t obtained the necessary permission from users required under GDPR law. CNIL also criticized Vectaury for presenting users with pre-ticked boxes for consent — also against GDPR terms.
What was a more surprising statement from CNIL, and which started tongues wagging about the potential shakiness of the IAB Europe Transparency and Consent framework, was related to contractual agreements.
The regulator determined that a company cannot assume consent based on a contractual relationship. In other words, if a business deemed a controller under GDPR law has agreed to gain user consent on behalf of one of its digital ad partners which will use it for personalized ad targeting, the processor must verify that the consent has been obtained in a way that’s GDPR-bulletproof. Relying on a contractual agreement that stipulates all consent is bona fide won’t fly, according to CNIL.
The CNIL statement read: “The obligation imposed by Article 7 cannot be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”
The IAB Europe was quick to reinforce that it has always followed the same premise, and is pushing forward with ways to help businesses deemed processors under GDPR law, verify obtained consent.
Easier said than done, however. Matthiesen conceded that more work is required on the framework to ensure it can provide companies with that level of certainty. In time, the IAB Europe will also audit CMPs to ensure that signals sent to vendors represent legally valid consent, he added. Currently, the IAB doesn’t dictate the exact user experience for CMPs, only baseline guidelines.
“We took note of the CNIL’s opinion that the standardized definitions of the purposes for processing are not easily comprehensible for users and are working on improving the clarity of these definitions,” added Matthiesen.
Podcasters are pitching longer, more lucrative ads, but ad buyers prefer shorter, cheaper spots
While podcast production companies and creative studios pitch custom, longer-form podcast ads, buyers prefer ads under a minute long due to budgets, reach and audience attention.
Media Buying Briefing: Four takeaways on Upfront Week from a buyer’s perspective
Beyond a general optimism to be back in person for Upfront Week, buyers shared their thoughts on what worked and what still needs to happen.
How publishers are future proofing their commerce offerings for post-pandemic consumers
Four publishers gathered at Digiday Media's Commerce for Publishers Forum to talk about their affiliate programs and strategies.
SponsoredHow marketers and retailers are unlocking the true value of retail media
Ben Kneen, senior director of product management, Xandr It’s a challenging time for retailers in the advertising industry. As they cope with supply chain woes and inflation-related pressures, they seek high-margin revenue streams amid evolving privacy regulations and massive shifts in identity solutions — including IDFA, the deprecation of third-party cookies and more. In light […]
Member ExclusiveMedia Briefing: Publishers and media unions are still haggling over office-return plans heading into the summer
In this week's Media Briefing, senior media reporter Sara Guaglione reports on how unions at some major media companies are pushing back against publishers' return to office mandates, with The New York Times Guild seemingly netting a victory on Wednesday.
‘He thought I was accusing him of being racist’: Confessions of a comms pro on working with out of touch leadership
The [CEO] and one of the other co-founders felt the need to point out that they mentor black people and donate to black-focused charities. 'It wasn't about them, but they were making it about them.'