Home Privacy Forget The Duopoly (For Now). It’s The Little Guys Taking Heat On GDPR

Forget The Duopoly (For Now). It’s The Little Guys Taking Heat On GDPR

SHARE:

Bonjour, GDPR enforcement.

Google and Facebook may have bullseyes on their backs in Europe, but it’s two mid-sized French startups that received the first warning shots from the General Data Protection Regulation (GDPR) – and that shouldn’t be surprising.

“GDPR is not just there for the big guys,” said Ronan Tigner, an associate at Morrison & Foerster who’s focused on data privacy and security. “Small and medium companies can also fall under scrutiny, especially if they are very data-intensive.”

The companies in la chaise chaude are Teemo and Fidzup, both of which use an SDK to collect geolocation data for targeted advertising.

France’s data protection authority, the CNIL (the Commission nationale de l’informatique et des libertés), publicly called out the companies in mid-July for gathering and processing data without informed consent.

Fidzup was castigated for not being clear enough about what was being collected, while in Teemo’s case, data was being collected only after users downloaded an app.

Teemo also got dinged for holding on to geolocation data for 13 months, which the CNIL said was too long to justify the purpose of targeted advertising. The GDPR requires companies to only keep data for as long as “necessary,” but in fairness, the rules don’t shed any light on what that means in practice.

This isn’t either company’s first awkward spell in the spotlight. In May, Apple briefly removed apps with Teemo’s geotracking SDK from its App Store because they didn’t collect the proper consents. Yale University’s Privacy Lab also called out Teemo and Fidzup last year in a report on Android apps and “hidden” third-party tracking tools.

The CNIL gave both companies three months to tweak their practices and prove compliance, without levying fines.

Teemo and Fidzup tell AdExchanger that they’re respectively on track to resolve these issues long before the CNIL’s deadline.

Why these guys?

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

The LUMAscape is large, and the number of mobile ad tech companies on it is multifarious. Why single out Teemo and Fidzup?

The Teemo and Fidzup audits took actually place in 2017, long before the GDPR went into effect. By issuing the public warning now and tying it to GDPR, the CNIL appears to be using the duo as a teaching moment for the industry.

“We cannot know for sure, but it seems that this is the case: that the CNIL wants to educate the market in this way,” said Olivier Magnan-Saurin, Fidzup’s CEO and founder.

As part of its warning, the CNIL said it will pay particular attention in the coming months to companies that develop and use SDKs to collect geolocation data. It also issued accompanying consumer-facing guidance explaining how apps tap into geolocation data and methods to limit data collection.

The CNIL also seems to have been looking for “a sterling example” it could use to demonstrate how “serious and thorough” it’s going to be about enforcing GDPR and French data privacy law, said Chris Olson, CEO of The Media Trust.

It’s not all fire and brimstone, though. As recently as February, the CNIL said it’s not looking to sanction companies making an in-good-faith effort at GDPR compliance. For the first few months, cooperation and diligence were enough to satisfy the CNIL – which is why Teemo was somewhat taken aback by the regulator’s decision to publish the warning.

Teemo hired a chief privacy officer last year and underwent an elective audit with ePrivacy GmbH, an independent certification company based in Hamburg.

The CNIL’s move was understandable, though, said Alexandra Chiaramonti, Teemo’s managing director for France.

“They want to clarify their position on GDPR, which itself doesn’t give much detail on how the rules should be implemented,” she said. “We see this less as Teemo being targeted and more as leverage for the CNIL to clarify what they see as compliance and to provide recommendations for the whole market.”

How to fix it?

Even with a bit more clarity on what needs to be done, however, compliance isn’t a box-ticking exercise. There’s a lot to consider.

Take geolocation data. It’s impossible to set a single time limit for retention, because the data can be used for multiple purposes. It might be OK to keep aggregated geolocation data longer if it’s being used to teach an algorithm, for example, rather targeting ads.

And in terms of consent, a company like Teemo or Fidzup is a third party that may not have control over which notices its publisher partners show to users.

The CNIL gets it, and Chiaramonti said its representatives have been responsive and more than open to conversations about how to proceed.

“They know we want to be compliant,” she said, “and they’re really helping us work on this.”

But still, said Magnan-Saurin, it would’ve been nice to have had an opportunity to clear up the CNIL’s concerns before the GDPR deadline. Fidzup was in a holding pattern for months following its 2017 audit while waiting for feedback from the CNIL about how to proceed.

For example, Fidzup had always considered itself as a subcontractor to its publisher partners, because it was their data that was being collected. In its warning, the CNIL clarified that Fidzup shares responsibility for the data collected, along with the controller.

Armed with that knowledge, Fidzup has been updating its opt-in notice to be more clear about what data is being collected and how it’s going to be used. And if a publisher declines to include Fidzup’s specific language in its notice, Magnan-Saurin says Fidzup will unplug from the publisher and sever the relationship.

What’s next?

Once the GDPR has had a little more time to percolate, companies should expect less latitude from regulators. Warnings could turn into fines for those that don’t comply or at least make a genuine attempt.

And although the CNIL didn’t say anything specific about Teemo’s or Fidzup’s clients in its warning, there’s no reason regulators won’t start putting the screws to data controllers for what’s happening in their supply chain.

It’s time for everyone to get their houses in order and prepare for that possibility, Tigner said.

“You don’t want a specific inquiry to spiral into something bigger,” he said.

The CNIL did not respond to a request for comment.

Must Read

Comic: Alphabet Soup

Buried DOJ Evidence Reveals How Google Dealt With The Trade Desk

In the process of the investigation into Google, the Department of Justice unearthed a vast trove of separate evidence. Some of these findings paint a whole new picture of how Google interacts and competes with its main DSP rival, The Trade Desk.

Comic: The Unified Auction

DOJ vs. Google, Day Four: Behind The Scenes On The Fraught Rollout Of Unified Pricing Rules

On Thursday, the US district court in Alexandria, Virginia boarded a time machine back to April 18, 2019 – the day of a tense meeting between Google and publishers.

Google Ads Will Now Use A Trusted Execution Environment By Default

Confidential matching – which uses a TEE built on Google Cloud infrastructure – will now be the default setting for all uses of advertiser first-party data in Customer Match.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Unraveling The Mystery Of PubMatic’s $5 Million Loss From A “First-Price Auction Switch”

PubMatic’s $5 million loss from DV360’s bidding algorithm fix earlier this year suggests second-price auctions aren’t completely a thing of the past.

A comic version of former News Corp executive Stephanie Layser in the courtroom for the DOJ's ad tech-focused trial against Google in Virginia.

The DOJ vs. Google, Day Two: Tales From The Underbelly Of Ad Tech

Day Two of the Google antitrust trial in Alexandria, Virginia on Tuesday was just as intensely focused on the intricacies of ad tech as on Day One.

A comic depicting Judge Leonie Brinkema's view of the her courtroom where the DOJ vs. Google ad tech antitrust trial is about to begin. (Comic: Court Is In Session)

Your Day One Recap: DOJ vs. Google Goes Deep Into The Ad Tech Weeds

It’s not often one gets to hear sworn witnesses in federal court explain the intricacies of header bidding under oath. But that’s what happened during the first day of the Google ad tech-focused antitrust case in Virginia on Monday.