Why a French ruling against a small mobile ad firm has ad tech on the defensive
Earlier this month, French data authority CNIL put French ad tech company Vectaury on notice for violating consent-gathering rules under Europe’s General Data Protection Regulation (GDPR). Vectaury collects geolocation data through behind-the-scenes methods such as software development kits (SDKs) and real-time ad bidding (RTB) for mobile ad targeting purposes. The company specializes in mobile advertising aimed at driving people to retail locations.
What happened. After an April investigation by the CNIL (la Commission nationale de l’informatique et des libertés) revealed that Vectaury had obtained personal data without proper consent. The company had created its own consent management platform (CMP). The CNIL said that Vectaury’s consent tool does not comply with GDPR because:
- The language was unclear, complex and not easily accessible
- The consent was not specific to the processing of geolocation data for targeted marketing
- The user’s choice wasn’t based on an affirmative action, or opt-in
The CNIL has given Vectaury three months to come into compliance. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.
Ruling appears to imply the IAB consent framework has problems. Almost immediately after CNIL posted its notice, several prominent privacy voices online said that the charges showed irrefutable flaws in the ability of the IAB Transparency and Consent Framework (TCF) to properly collect consent under GDPR. In theory, the TCF enables publishers and ad tech firms to collect consent and then ‘signal’ that consent across the advertising supply chain.
In looking at the CNIL ruling, New York Times’ data governance and privacy expert Robin Berjon said that it shows that consent gathered elsewhere and signaled through the IAB Europe’s consent framework is “inherently invalid” per GDPR’s Article 7, “you cannot pass consent to another controller through a contractual relationship.”
“It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today’s adtech,” Berjon tweeted.
Johnny Ryan, who currently serves as chief policy & industry relations officer for open-source browser Brave, agreed, saying that CNIL’s decision illustrates several problems with the framework, including violation of the “purpose specification” principle, which requires that consent be gathered for specific purposes; not supplying information to users about who is receiving their data; and not proving the validity of passed consent.
“This decision should be a wake-up call for the industry, a milestone in its reform,” Ryan said in an email.
IAB Europe pushes back. The IAB Europe refutes these claims. Matthias Matthiesen, director of privacy and public policy for IAB Europe, said that the CNIL’s decision does not mean that the TCF is problematic.
“Nowhere does the CNIL say in its notice to Vectaury that the IAB Europe Transparency & Consent Framework’s approach is inherently invalid,” Matthiesen said. “The CNIL’s notice was specifically about Vectaury’s approach to obtaining consent. If anything, we feel reinforced in our positions.”
Stacey Gray, policy counsel of the Future of Privacy Forum, agreed “that the scope of the decision is limited to Vectaury’s own implementation of IAB’s standards (rather than a direct ruling on the consent framework itself).”
“That said,” Gray said. “It’s challenging to obtain specific consent in the mobile app setting for some partners and purposes, and so it’s an open question of what a legally valid CMP implementation would look like.”
Not the first time the IAB Europe’s framework has been called into question. The IAB Europe’s framework has been met with criticism since it was first unveiled in March 2018. Google, in particular, has delayed joining, citing technical concerns. Ryan, who used to be head of ecosystem for anti-ad-blocking solutions provider PageFair, told us in January that consent in general was “unworkable” under GDPR, saying the TCF didn’t sufficiently track the sharing of user consent records.
Why you should care. As Matthiesen notes, GDPR went into effect in May and will likely evolve in practice. But this type of charge against data-driven companies like Vectaury affects U.S. companies in several ways. First, global companies that handle the personal data of European Union (EU) members are beholden to GDPR, and could face investigations and penalties. Second, the U.S. is looking to pass its own set of privacy regulations, and cases like these serve as real-life previews to what businesses might face here.
Finally, if regulatory frameworks such as the IAB TCF aren’t adequate for the job, what what will be? In October, the IAB Tech Lab — which has worked with IAB Europe on its framework — started testing PrivacyChain, a blockchain-based way to track consent it developed with identity resolution provider LiveRamp as a way to address some of these concerns. Of course, an alternative is for the industry to upend the adtech complex and stop using personal data for ad targeting purposes.