Who targets whom?
The advertising ecosystem is composed of a chain encompassing several actors. A number of advertising intermediaries are the interface between the data subjects to whom ads are displayed and the advertisers who wish to provide ads to the data subjects. The Opinion of the European Data Protection Board (EDPB – formerly known as "Article 29 Working Party") issued in 2010 analyses online targeted advertising mainly through the prism of the relations between (1) advertisers, (2) editors or publishers of websites/apps on which ads are displayed and (3) one single type of advertising intermediary, referred to as 'ad networks'. The reality is a lot more complex.
How does it work?
Some intermediaries collect the data subjects' unique advertising ID and combine it with location data through the SDK technology that they integrate into a partner's mobile app. This data is subsequently combined with the geographical coordinates of physical points of interests, such as a partner's physical store, to create a user profile and to provide targeted advertising to that user. This data is then stored and enriched in a database. Similar business models consist in collecting advertising IDs associated with MAC addresses (i.e. another unique identifier). Targeted advertising is then sent to users located in the proximity of a partner's physical store. In both cases, advertising IDs (Apple or Android ID) enable these intermediaries to indirectly identify smartphone users.
On the difficulties to obtain valid consent for targeted online advertising
Since the General Data Protection Regulation (GDPR) came into force in May 2018, the CNIL has issued four public formal notices against Fidzup, Singlespot, Teemo and recently against Vectaury, all of whom are involved in the advertising business.
The CNIL's formal notices come at a time when the advertising sector is still debating the alternative between “consent” and the controller’s ”legitimate interest" as a legal basis to process personal data for the purpose of targeting advertising. In the above-mentioned cases, the concerned intermediaries were extensively collecting location data from users' smartphones and combining them with other sets of data, which requires consent under the GDPR.
The CNIL considered that these intermediaries had not obtained valid consent, as it was not freely given, specific and informed. While three formal notices were issued on the grounds of the French Data Protection Act prior to the GDPR coming into force, the formal notice issued against Singlespot, however, explicitly refers to the GDPR, even though the facts in the Singlespot case predate the GDPR's entry into force. Indeed, in its decision to issue a formal notice, the CNIL analyses the validity of consent based on the revised definition of consent under the GDPR, i.e.: " any freely given,  specific,  informed and  unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (art. 4(11)). The CNIL also refers in the above cases to the EDPB's guidelines on consent to justify its interpretation of the law.
In these decisions, the CNIL also highlighted the fact that the mobile apps could not be downloaded without activating the SDK technology. As a result, the use of the mobile apps would automatically share the user's location data with these intermediaries. Furthermore, users were not properly informed in-app that their location data would be processed by third-party intermediaries for advertising purposes. In the case of Vectaury, the company did offer to install a 'Consent Management Provider' (CMP) mechanism to strengthen the information provided to users. Nevertheless, the CNIL found that this CMP did not allow for specific consent and did not consider that the information given to the users was sufficient. As a result, these companies did not obtain valid consent from their users. The CNIL also found that the device's location data was being collected by default, which is a violation of the 'privacy by default' principle under the GDPR.
The CNIL considered that the partner's app needed to properly inform users and to set up an in-app pop-up window asking for consent through a checkbox. Ultimately, in three of the above-mentioned cases (Fidzup, Singlespot and Teemo), the ad tech company did set up such window which led the CNIL to formally put an end to the proceedings.
Impact on participants in real-time auction platforms
The CNIL also analysed the bidding process organised by real-time auction platforms to sell in-app ad space. In summary, when a data subject connects to an app, his/her personal data are automatically sent to bidding platforms which then ultimately transfer them to advertising intermediaries wishing to buy ad space for their advertiser clients. Intermediaries rely on such data to adjust the value of their bidding request for the given ad space, depending on whether the user's profile match the targeted audience of advertisers. In the Vectaury case, the CNIL considered that one such intermediary had retained the data transferred by the bidding platform to enrich its own database, regardless of the fact that it had responded positively to the bid process. Here again, the intermediary was not able to demonstrate valid consent for such processing.
Reality check for the ad tech business?
In the above-mentioned cases, the ad tech intermediaries were processing location data for the purpose of providing targeted advertising to mobile app users. The CNIL considered that these intermediaries act as data controllers because they largely determine the purpose and means of the processing. The CNIL did not discuss the possibility of sharing the responsibility between several controllers. In particular, the CNIL did not consider whether these intermediaries could be considered as joint controllers with the app developers or the advertisers. In the Singlespot case, the CNIL specifically held that the intermediaries have to set out "[concrete and precise] requirements with respect to the format and the wording to obtain consent as well as the information to give to data subjects" in the agreement with app publishers. That way, the latter can duly comply with the contractual obligation to obtain consent. Consequently, the CNIL considered that the obligation to provide notice and obtain consent lies with these intermediaries themselves.
While the CNIL recently closed the investigations against Teemo, Fidzup and Singlespot on the grounds that they had shown sufficient evidence to comply with the GDPR, at this date, the investigation is still pending against Vectaury. In particular, the CNIL gave Vectaury three months to comply or it could face sanctions.
Lastly, it is also worth noting that the CNIL has recently adopted its final list of data processing activities that require a data protection impact assessment in accordance with article 35 of the GDPR. One of these processing activities concerns the large scale processing of location data, such as data that is collected via a mobile app. Another concerns profiling processing using personal data obtained from third-party sources.
Keep checking this blog as we continue to provide you with updates on the implementation of the GDPR in EU Member States.
With special thanks to Sixtine Crouzet for her valuable contribution to this article.