In its October 30 decision, French supervisory authority, the CNIL, declared that French ad tech startup, Vectaury, violated the EU General Data Protection Regulation by not obtaining valid consent for its collection and use of geolocation data from partner apps and bid requests for targeted advertising purposes. Most notably, the CNIL concluded that Vectaury’s consent management platform, based on IAB Europe’s Transparency & Consent Framework to a certain degree, did not provide sufficiently transparent information about the purposes of data processing.

Since the TCF is used throughout the digital advertising industry to obtain consent, prognosticators are predicting the decision will end the advertising ecosystem and real-time bidding as we know it. However, we argue the CNIL’s key findings show that most of Vectaury’s consent deficiencies either violated, or were not caused by, the TCF and the TCF-specific issues are remediable.

Consent notice deficiencies

The CNIL objected to Vectaury’s CMP implemented on its partners’ apps. However, the TCF did not cause such issues or prevent Vectaury from satisfying the CNIL’s interpretation of GDPR consent requirements (except as discussed below). In fact, many of those requirements are also mandated under TCF policies (e.g., processing purposes and controller list in initial notice and affirmative action), though such policies should be clearer in this regard.

Upon a partner app’s launch, the CMP displayed an initial notice summarizing use of personal data and gave certain options: “Accept,” “Refuse,” and “Manage Preferences” (or similar verbiage). The decision stated that global “Accept” and “Refuse” options are allowed under the GDPR, provided certain requirements are met. The CNIL cited the following defects:

1. Users were not appropriately informed of all data processing purposes before global consent options were displayed. The CNIL suggests that the initial notice can state the various purposes and that more information can be provided in a layered manner (e.g., by clicking “Manage Preferences”).
2. Purposes were “pre-ticked.” Instead, all purposes must be initially set to “off” and an affirmative action must then indicate user choice. Further, the CNIL states that purpose-by-purpose consent options must also be available.
3. The notice misled users. The CNIL criticized certain language that could mislead users into thinking that refusing consent resulted in fees or more intrusive advertising.
4. The notice did not list the controllers with whom data would be shared or provide a direct hyperlink to such list.
5. Purposes lack transparency.

The TCF requires the display of certain pre-defined processing purposes, which the CNIL concluded lacked sufficient transparency for valid consent. It cited the definition of “Personalization” as its only example, stating that it was too difficult to understand and imprecisely worded. 

Thus, relying on the TCF’s definitions will currently not satisfy valid consent under the CNIL’s view. However, the CNIL did not go so far to state that the TCF is incapable of providing valid consent. Indeed, IAB Europe has stated that it has been revising its definitions after consultation with the CNIL and other supervisory authorities earlier this year.

RTB consent string

During real-time bidding, SSPs sent Vectaury bid requests containing geolocation data for buying ad inventory. Vectaury and the SSPs had contracts requiring the latter to obtain valid consent on Vectaury's behalf. 

The CNIL stated that Vectaury must be able to demonstrate valid consent for the data it processes; contractual mandates are insufficient. Since Vectaury could not demonstrate consent, the data could not be processed.

Many articles have erroneously claimed that this element of the decision precludes the TCF’s usage for real-time bidding. However, the TCF does not rely on contracts to demonstrate consent. Rather, it uses an auditable consent string, signaling buyers that a user has consented to distinct processing activities.

The consent string contains a consent provider ID, timestamp, and additional metadata. In light of the decision, IAB Europe should consider including a field indicating the CMP version in effect at the time consent was obtained. Since versions will change over time, each consent provider should be required to document each version at a conspicuous location or send such documentation for hosting by IAB Europe.

Conclusion

Predictions that the decision will end targeted advertising, the TCF, or RTB are misplaced. In fact, where some have suggested that the ecosystem inherently violates certain GDPR requirements, the decision is noticeably silent. The CNIL said nothing about Vectaury violating data minimization, did not state that geolocation data within bid requests are per se “special categories of data,” and did not declare RTB or targeted advertising incompatible with the GDPR.

Further, the CNIL published a decision against another startup, Teemo, for similar consent deficiencies when collecting geolocation on partner apps for targeted advertising. The CNIL stated that Teemo had remediated its compliance issues after satisfying its consent requirements within three months. The challenges are difficult yet not insurmountable.

These decisions show that consent can justify various ad-related activities, provided certain improvements are made to transparency and accountability.

photo credit: checked_tick via photopin (license)