The CNIL’s VECTAURY Decision and the IAB Europe Transparency & Consent Framework
On 30 October, the French data protection authority (CNIL) published a notice declaring that French start-up company VECTAURY failed to meet conditions for valid consent under data protection law and ordering the company to cease processing geolocation data for advertising purposes without an appropriate legal basis. VECTAURY has been ordered in particular to ensure it obtains GDPR-compliant consent from users of the apps from whom VECTAURY receives real-time bidding opportunities before processing these users’ data moving forward. In addition, the CNIL ordered VECTAURY to delete all data obtained on the basis of the invalid consent.
Some commentators have suggested that VECTAURY ended up in the CNIL’s cross-hairs because it built a Consent Management Provider (CMP) that implemented the IAB Europe Transparency & Consent Framework (TCF). VECTAURY registered itself as a TCF CMP in May of this year.
The suggestion is wrong: the CNIL’s investigation started prior to VECTAURY ever registering itself as a TCF CMP. In addition, on many of the points on which the CNIL considers VECTAURY’s conduct to have violated the General Data Protection Regulation (GDPR), it also violated the TCF’s policies. Indeed, had the company adhered to those policies, not only would it have been better-placed to meet its obligations under the law, but some of the most problematic of the concerns raised by the CNIL would have been addressed.
Why the CNIL found VECTAURY’s conduct to have breached the GDPR
In its notice, the CNIL finds that in two scenarios VECTAURY did not have a legal basis for the processing of personal data under the GDPR. First, where VECTAURY collected and processed geolocation data from mobile app users of mobile apps via its SDK, and a second where it collected and processed personal data received in real-time bids for inventory on mobile apps.
The legal basis claimed by VECTAURY was the consent of the users whose data was processed. The CNIL’s notice declares that in both scenarios, VECTAURY and its partners failed to meet the conditions for valid consent – and as a result it could not serve as a legal basis for processing.
Conduct that failed to meet requirements of the GDPR
In the first scenario, where VECTAURY collected and processed geolocation data from mobile app users of mobile apps via its SDK, the CNIL noted that default Android OS or iOS notification windows asking for the user’s permission for geolocation data to be collected did not allow VECTAURY to obtain valid consent. VECTAURY then developed a CMP built on the basis of the TCF as a suggested way forward which it submitted to the CNIL. The CNIL opined that while VECTAURY’s CMP would improve transparency for users, it still did not meet the CNIL’s standard for valid consent, because it (a) failed to ensure that users were appropriately informed of the identities of companies that wished to process their data, and (b) failed to ensure that consent was expressed by a clear, affirmative action.
The notice states that in some circumstances, users were not made aware of the fact of VECTAURY (or other companies) seeking consent to process their data at all, and in a consent request UI developed by VECTAURY the default settings didn’t require users to toggle the settings or take some other action in order to convey their agreement.
In both cases, VECTAURY’s CMP also failed to meet its obligations under the TCF’s policies.
In order to be valid under the GDPR, consent must be “informed” and “specific”. Users need to know which companies wish to process their data, and for what purposes. Other information disclosures must accompany this transparency about who is requesting consent, and why. If VECTAURY’s partners failed to disclose to their users the fact that VECTAURY was one of the companies seeking consent to process their personal data, the conduct of both the partners and VECTAURY was clearly non-compliant. The TCF’s policies require that a consent request conveys to the user both the identities of the companies who wish to seek to process a user’s personal data, as well as the purposes of the processing in a way that enables the user to appreciate that each purpose and company are distinct and separate from one another.
On the “affirmative action” item, the position is also unambiguous. VECTAURY appears to have implemented a consent UI in which a user would be considered to have consented to data processing despite taking no affirmative action of any kind to convey agreement. This is a clear breach of the GDPR and of the TCF’s policies, both of which require a user to affirmatively consent.
Conduct that failed to reflect data protection authorities’ opinions
Some of the conduct that the CNIL interpreted as being in breach of the GDPR had to do with how information was presented in the UIs of the apps with whom VECTAURY partnered. Here the CNIL relied on opinions from the Article 29 Working Party of European data protection authorities (DPAs) – and in some cases on its own interpretation of that guidance – to arrive at its finding of illegality.
For example, the CNIL found that the UI in the apps did not inform users of all the controllers who were seeking consent for data processing at the exact moment – or in the exact UI layer – as the request for consent. Similarly, detailed information on the data processing for which consent was being requested was not provided simultaneously. Also, the CNIL found the language used to explain to consumers why data needed to be processed to be hard to understand.
These are more subjective items on which reasonable people can disagree. In the case of presentation to users of the details of the controllers seeking consent simultaneously with the consent request itself, CMPs need to make a judgement about how much information users can assimilate in a single screen. It appears that the UI that VECTAURY implemented in the CMP it recommended to its app partners required the user to click on several links in order to navigate to the list of companies that wished to process their data (including VECTAURY). Arguably a better implementation would have reduced the number of clicks required. Indeed, the TCF’s policies require a link to be provided to the list of companies and for the processing purposes to be disclosed on the first layer of a consent notice.
Helpful information for ongoing work of improving the TCF
In the case of the definitions of data processing purposes for which user consent was being sought, here the CNIL clearly has a point. But striking the right balance between specificity and granularity, on the one hand, and simplicity and ease of comprehension, on the other, is not easy. The definitions that seem to have prompted the finding of illegality include some of the five definitions currently included in the TCF. They are being revised, in a process that began during the summer following our first meetings with DPAs – including the CNIL – to present the Framework. One objective of the revision is to make the definitions easier for users to understand.
Perhaps more importantly, we need to consider the best way forward for the Framework and for users on the points where the GDPR itself is silent or unclear, including how to reconcile the apparently conflicting imperatives of ease of user experience, on the one hand, and timely and complete information, on the other, when it comes to information disclosures to users in the context of consent requests.
The CNIL’s discussion of the second scenario where VECTAURY obtained and processed of data received through bid requests, has also made it evident that we will have to do more to support proper implementations by CMPs of the rules of the Framework and the GDPR. This is imperative if the TCF’s signals are to be trusted by the companies who rely on it to mean that appropriate transparency has been provided to users and valid consent has been obtained. The Framework’s signals need to be reliable since the CNIL confirmed that it expects a company to be able to ensure and demonstrate that the consent it relies on is valid at its source but putting in place contractual provisions does not meet the requirement of demonstrating that consent is valid. As it is entirely unfeasible for millions of websites and apps to be individually vetted by thousands of technology partners, we need a trusted Framework the proper implementation of which can ensure and signal that transparency and consent have been established in line with the GDPR.
Ongoing dialogue with DPAs
We welcome the prospect of discussing these issues with the CNIL and with other DPAs over the coming months.
VECTAURY is under review within the TCF
Having been made aware of a possible breach of the TCF’s policies by VECTAURY’s CMP, we will launch a review of the same. We expect to support the company in its efforts to adhere to the TCF’s policies, and accede to the CNIL’s order.
For more information on TCF roll-out and GDPR legal compliance for the digital advertising industry, please write to us at firstname.lastname@example.org or email@example.com, or check out https://advertisingconsent.eu.