It looks like the French data protection authority becomes the European leader in regulating online advertising and translating the requirements of the GDPR into real business assessments.
Since July 2018 they have been busy with investigating data collection for advertising purposes. They started with relatively small French companies. First it was about location data processing done by Teemo and Fidzup: the CNIL found that these companies did not have a valid consent for collecting location data via their SDK installed in the apps of their partners.
Then was the Singlespot investigation with a very similar conclusion from the CNIL: the company did not obtain valid consent for processing location data via an SDK.
After that it was Vectuary’s turn: the CNIL has scrutinised the company’s location data processing practices and once again declared Vectaury’s consent management process insufficient. In their notice to Vectaury the CNIL has also touched upon a very interesting issue of sharing consent across multiple companies. The CNIL has made it clear: any company that processes personal data on the basis of consent, bears the responsibility of proving that the consent is valid and obtained according to all rules. Simply put, we as businesses cannot pass consent on contractually, we should always be able to prove that people allowed us to work with their data according to the GDPR standards.
In all of these cases the CNIL has served formal warnings and ordered these companies to fix outstanding consent issues.
And now we have another decision of the French regulator, but this time it is about a “somewhat bigger” company – Google. The CNIL has once again focused on advertising consent and has once again found that consent obtained by Google was not sufficient.
Moreover, the CNIL has concluded that the level of infringements and their impact were so severe that Google deserved a 50 million euro fine instead of a formal notice, making it the highest fine ever issued by a data protection authority in Europe. One could even think that the CNIL has started the year with a statement.
So how did Google breach the consent requirements under GDPR?
All decisions of the CNIL are consistent and all of them refer to the GDPR as well as the European Data Protection Board’s (previously known as Article 29 Working Party) guidelines on consent and transparency. So the CNIL used the standards established by the GDPR and EDPB to evaluate a number of very specific business practices and their compliance.
In Google’s case, for example, the CNIL has found that the company has not been transparent enough about their data uses. More specifically, the authority looked into the creation of Google accounts when setting up Android devices and the subsequent data use for advertising purposes.
The CNIL finds that Google is not transparent with their users based on the following:
Another issue is that “some information is not always clear nor comprehensive”. The CNIL did admit that giving all necessary information in the first layer wouldn’t be comprehensible either. But they also repeated the EDPB’s recommendation on providing consent for complex operations: companies should give people an overview of possible impact that kind of data processing might have on them. This requirement to explain the consequences of data processing has one simple goal: users should not be surprised when they find out how their data is used in reality.
It is also worth noting that the CNIL found that Google has failed to clearly communicate the legal basis of data processing for advertising purposes. At first, users would be under impression that it was consent, but in some documents Google would also mention legitimate interest.
Missing data retention period:
Finally, the CNIL notices Google does not provide the information about the retention periods for some data. According to the GDPR, people need to be aware of how long data processing is going to take or at least have an indication of the approximate timeline at the time of consent collection.
So what does it mean for consent?
Consent under GDPR is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The CNIL simply evaluated if consent obtained by Google was indeed:
- freely given (were people allowed to say no without limitations of service?),
- specific (was it granular and was it possible for users to agree to specific purposes?),
- informed (was the company transparent enough with the users?) and
- unambiguous (was there any room for misinterpretation of what users agreed to?)
According to the CNIL, Google has failed three out of four tests above.
As the CNIL has already established, Google was not transparent about their advertising data use. Which on its own is enough to conclude that the advertising consent obtained by Google is not informed and thus invalid.
Google also did not obtain unambiguous consent: in particular, they used pre-checked boxes for personalized ads. Pre-checked boxes mean that there is room for interpretation. In fact, one could question whether people even saw these boxes before creating an account.
All of the above suggests that the data protection authorities are paying attention to the complexities of advertising consent and it’s fair to expect more of these decisions in 2019. In fact, the Swedish data protection authority has just announced that it would look into Google’s location data processing. A number of complaints from civil rights groups have already been submitted, among which the most notable is probably Privacy International’s complaint against 7 advertising and data broker companies.
It is time for us as businesses to toughen up, start taking consent seriously and ask ourselves some difficult questions. For example, are we doing enough and are we clear to the people who’s consent we are seeking?
Here is 6 steps every business needs to take to avoid being caught in the GDPR crosshairs:
Tip 1: Take a close look at your sites and apps. Understand which advertising partners you work with, what other resources you have connected, why they are on your app or site and what they do. You are likely to make some interesting discoveries if you do that check, we promise.
Tip 2: Check the applicable local telecommunications law(s). Cookies and other third party technologies fall under the ePrivacy directive which has local versions in all EU countries. For example, in the Netherlands the relevant law is Telecommunicatiewet 2018, so that would be the first law to comply with, GDPR comes into play only after this. Striking the right balance is going to be crucial for your consent management efforts.
Tip 3: Come up with a set of tools you want to use for managing consent. For example, it could be a Consent Management Platform like ‘Privacy Manager’ (Faktor’s proprietary platform). It is important to understand why you are using those tools and how they help your compliance efforts.
Tip 4: Involve the right people from your company. You need to be prepared to spend some time on your site and app compliance, especially if do not examine them regularity. So take this activity seriously, have a dedicated web/app developer ready and guide them when needed to make sure that they do not miss the bigger (legal) picture. The perfect mix of people involves specialists in Legal, Privacy, Commercial and IT.
Tip 5: Implement your consent management tool and keep it updated. Putting the CMP on your site/app is not going to make you compliant on its own. Think of how you are going to keep the CMP updated and who is going to make sure that CMP is taken into consideration whenever you roll out changes on your site/app or add new third-party resources. If you work with the IAB’s Transparency and Consent Framework, who will keep an eye on the changes within the Framework itself? Be sure to run periodic checks to ensure that no third party resources are being loaded without user’s consent or your knowledge. This technique is called conditional firing.
Tip 6: Remember that your users need to be able to review, change or withdraw their consent at any time. Provide your users with clear, specific and granular information, make sure that they know about their rights and how to exercise them. Make it easy for them to review what they have agreed to. Do not activate all processing purposes by default. Learn from what Google did wrong and do better! At Faktor we developed our very recognisable privacy fingerprint for the best user experience.
In the meantime, one clear action you can take today is ensure you understand where your business currently stands when it comes to the GDPR. What steps can you take to minimize your chances of being deemed not compliant? Give us a shout out at firstname.lastname@example.org and we would love to help you out with an initial check on your websites or apps and show you how the Faktor Consent Management Platform can give you a peace of mind.