Bonjour, GDPR enforcement.
Google and Facebook may have bullseyes on their backs in Europe, but it’s two mid-sized French startups that received the first warning shots from the General Data Protection Regulation (GDPR) – and that shouldn’t be surprising.
“GDPR is not just there for the big guys,” said Ronan Tigner, an associate at Morrison & Foerster who’s focused on data privacy and security. “Small and medium companies can also fall under scrutiny, especially if they are very data-intensive.”
The companies in la chaise chaude are Teemo and Fidzup, both of which use an SDK to collect geolocation data for targeted advertising.
France’s data protection authority, the CNIL (the Commission nationale de l’informatique et des libertés), publicly called out the companies in mid-July for gathering and processing data without informed consent.
Fidzup was castigated for not being clear enough about what was being collected, while in Teemo’s case, data was being collected only after users downloaded an app.
Teemo also got dinged for holding on to geolocation data for 13 months, which the CNIL said was too long to justify the purpose of targeted advertising. The GDPR requires companies to only keep data for as long as “necessary,” but in fairness, the rules don’t shed any light on what that means in practice.
This isn’t either company’s first awkward spell in the spotlight. In May, Apple briefly removed apps with Teemo’s geotracking SDK from its App Store because they didn’t collect the proper consents. Yale University’s Privacy Lab also called out Teemo and Fidzup last year in a report on Android apps and “hidden” third-party tracking tools.
The CNIL gave both companies three months to tweak their practices and prove compliance, without levying fines.
Teemo and Fidzup tell AdExchanger that they’re respectively on track to resolve these issues long before the CNIL’s deadline.
Why these guys?
The LUMAscape is large, and the number of mobile ad tech companies on it is multifarious. Why single out Teemo and Fidzup?
The Teemo and Fidzup audits took actually place in 2017, long before the GDPR went into effect. By issuing the public warning now and tying it to GDPR, the CNIL appears to be using the duo as a teaching moment for the industry.
“We cannot know for sure, but it seems that this is the case: that the CNIL wants to educate the market in this way,” said Olivier Magnan-Saurin, Fidzup’s CEO and founder.
As part of its warning, the CNIL said it will pay particular attention in the coming months to companies that develop and use SDKs to collect geolocation data. It also issued accompanying consumer-facing guidance explaining how apps tap into geolocation data and methods to limit data collection.
The CNIL also seems to have been looking for “a sterling example” it could use to demonstrate how “serious and thorough” it’s going to be about enforcing GDPR and French data privacy law, said Chris Olson, CEO of The Media Trust.
It’s not all fire and brimstone, though. As recently as February, the CNIL said it’s not looking to sanction companies making an in-good-faith effort at GDPR compliance. For the first few months, cooperation and diligence were enough to satisfy the CNIL – which is why Teemo was somewhat taken aback by the regulator’s decision to publish the warning.
Teemo hired a chief privacy officer last year and underwent an elective audit with ePrivacy GmbH, an independent certification company based in Hamburg.
The CNIL’s move was understandable, though, said Alexandra Chiaramonti, Teemo’s managing director for France.
“They want to clarify their position on GDPR, which itself doesn’t give much detail on how the rules should be implemented,” she said. “We see this less as Teemo being targeted and more as leverage for the CNIL to clarify what they see as compliance and to provide recommendations for the whole market.”
How to fix it?
Even with a bit more clarity on what needs to be done, however, compliance isn’t a box-ticking exercise. There’s a lot to consider.
Take geolocation data. It’s impossible to set a single time limit for retention, because the data can be used for multiple purposes. It might be OK to keep aggregated geolocation data longer if it’s being used to teach an algorithm, for example, rather targeting ads.
And in terms of consent, a company like Teemo or Fidzup is a third party that may not have control over which notices its publisher partners show to users.
The CNIL gets it, and Chiaramonti said its representatives have been responsive and more than open to conversations about how to proceed.
“They know we want to be compliant,” she said, “and they’re really helping us work on this.”
But still, said Magnan-Saurin, it would’ve been nice to have had an opportunity to clear up the CNIL’s concerns before the GDPR deadline. Fidzup was in a holding pattern for months following its 2017 audit while waiting for feedback from the CNIL about how to proceed.
For example, Fidzup had always considered itself as a subcontractor to its publisher partners, because it was their data that was being collected. In its warning, the CNIL clarified that Fidzup shares responsibility for the data collected, along with the controller.
Armed with that knowledge, Fidzup has been updating its opt-in notice to be more clear about what data is being collected and how it’s going to be used. And if a publisher declines to include Fidzup’s specific language in its notice, Magnan-Saurin says Fidzup will unplug from the publisher and sever the relationship.
Once the GDPR has had a little more time to percolate, companies should expect less latitude from regulators. Warnings could turn into fines for those that don’t comply or at least make a genuine attempt.
And although the CNIL didn’t say anything specific about Teemo’s or Fidzup’s clients in its warning, there’s no reason regulators won’t start putting the screws to data controllers for what’s happening in their supply chain.
It’s time for everyone to get their houses in order and prepare for that possibility, Tigner said.
“You don’t want a specific inquiry to spiral into something bigger,” he said.
The CNIL did not respond to a request for comment.