On July 19, the French Data Protection Authority (CNIL) announced that it concluded an investigation into two marketing platforms for failure to obtain app users’ consent for collecting location data for targeted advertising purposes in breach of the EU General Data Protection Regulation. The CNIL ordered the companies to obtain valid consent and rectify other identified breaches to avoid fines. The case is a warning to mobile app operators to ensure that the requisite consents are in place to geolocate and target users.
The CNIL’s announcement did not reference whether the relevant SDK providers are “data controllers” or “data processors” in the context of customers using their software and services. Based on the CNIL’s statements and an analysis of the platform providers’ activities (where publicly available), it appears that the providers act as processors for their customers (who are the controllers). Assuming this “processor” classification is correct, this regulatory investigation shows how a focus by EU data protection authorities on processors’ activities can be a powerful way to assess and verify potential noncompliance of multiple controllers, which may result in greater efficiency for the authorities.
The providers addressed by the CNIL, headquartered in France, integrate a tool (software development kit, or SDK) into the code of mobile apps of their business customers (e.g. retailers). The code allows the software providers to collect mobile advertising IDs and geolocation data from mobile app users, which is then used to display targeted, geolocated ads on the users’ mobile phones on behalf of the customers.
The CNIL inspected several mobile apps using the providers’ SDK tool and found that users had not been informed of the relevant processing activities occurring through the SDK and that the requisite consent had not been obtained, in breach of the French data protection law and the GDPR.
First, according to the CNIL, users had not received the requisite data protection information before downloading the apps, including the existence of the SDK and the related data collection and the use of their data for advertising targeting purposes.
There were a number of noteworthy findings by the CNIL that ought to provide fair warning to controllers who need data subject consent to processing:
- Certain necessary information was provided to users only after the data was collected, whereas obtaining valid consent requires providing that information beforehand.
- The user consent sought through the apps was limited to the use of geolocation data by the app operators. It did not cover the processing of the data for marketing purposes via the SDK tool.
- App users were not given the possibility to download a version of the customer app without the SDK tool, which is contrary to the requirement for freely given, thus valid, consent.
Finally, the CNIL concluded that the retention of geolocation data by one provider for 13 months was excessive and disproportionate in relation to the relevant purposes of the processing. The CNIL stressed that geolocation data should be retained for the period strictly necessary and proportionate to achieve the purposes of collection, although it did not specify a recommended period.
The CNIL ordered the providers to obtain users’ valid consent within three months and to define a retention period for geolocation data that is proportionate to the purpose of the processing. Failure to do so within the prescribed time limit may result in fines (which may reach a maximum amount of 4 percent of global annual revenues or 20 million Euros, whichever is the higher).
The CNIL stressed the need to publish its warning in order to sensitize the professionals in the sector on the relevant issues related to the use of this type of technology. The CNIL has not advised if the customers who engaged the providers to integrate the SDK tool in their apps to target their users are under investigation.
Under the GDPR, the customers using the relevant SDK providers’ software and services would be responsible for ensuring fair, lawful and transparent processing of their mobile users’ data, including obtaining the requisite consent to serve targeted advertisement and being able to demonstrate such consent if challenged. Yet (based on the information made available by the CNIL) the authority has addressed only the providers irrespective of their role. By investigating processors’ practices, EU authorities can identify potential noncompliance of multiple controllers, which may result in greater efficiency for the authorities.
Anticipate an uptick in such audits as processors are now directly subject to the GDPR and regulatory actions.
The case is a wake-up call for software providers and other processors to be prepared for EU authorities’ investigations in relation to their activities and not to be overly complacent as to their responsibilities in the data processing chain. Processors are widely considered to have a subordinated role to controllers under the GDPR. But the CNIL investigation and findings suggest that certain processors may find themselves subject to weightier responsibility than they anticipated as the authorities seek to maximize opportunities for enforcement efficiencies.
If you want to comment on this post, you need to login.