There is life after a GDPR enforcement warning.
Location data ad tech startup Teemo, one of the first companies admonished under the General Data Protection Regulation for gathering and processing data without informed consent, was given the all clear on Thursday.
Teemo, headquartered in Paris, received an ultimatum from France’s data protection authority, the Commission nationale de l’informatique et des libertés ( the CNIL ), in July: Either obtain the proper consents, provide the proper disclosures and set appropriate limits for data retention or face a possible fine.
The company tossed all its R&D resources to reach compliance, said Alexandra Chiaramonti, Teemo’s managing director for France. It took roughly two months to implement everything the CNIL was asking for.
It was highly unlikely that the CNIL was going to slap Teemo with a fine, though. Making a good faith effort to comply goes a long way with the DPAs. EU regulators aren’t gunning to put small businesses out of business.
The GDPR is “mainly intended to guide behavior, to encourage compliance, not as a vehicle for penalizing,” said Blaine Kimrey, a shareholder at Vedder Price in Chicago, who has spent most of his career litigating technology-related cases.
“The potential penalties are severe under GDPR and they’re definitely there for a reason, but the people I’ve heard speak about GDPR, including those involved in its drafting, don’t see penalties as the standard enforcement proceeding,” he said.
Carrying a big stick and not using it is somewhat of a foreign concept in the United States, where regulators are far more likely to levy fines when they come knocking, Kimrey said, but “companies that do their best, that devote whatever the EU data protection authority deems to be the appropriate level of resources to the matter, will get injunctive relief.”
Teemo’s publisher partners must now display a banner during the app installation process that gives users the opportunity to provide their informed consent for data collection before any data is actually collected. A link gives users more info on their data rights, including the duration of retention – 30 days for raw data and 12 months for aggregated data in Teemo’s case – and the ability to withdraw their consent at any time.
It’s too early to tell whether the changes will impact user opt in, but even if fewer users offer up their consent, that could end up being a good thing, Chiaramonti said. There might be less data, but the quality will ostensibly be better and “more interesting for advertising purposes,” she said.
Although its dustup with the CNIL was far from ideal – “I’m not going to lie, it’s been a very tough couple of months,” Chiaramonti said – there are positive takeaways, not least of which comes in the form of regulatory guidance. When a DPA like the CNIL takes action, it helps clarify the law for other companies looking to comply.
“If everyone is willing to find a reasonable solution which serves each party’s interest, we can get there,” Chiaramonti said. “GDPR doesn’t have to be scary; it can benefit the industry as a whole by building trust from the general public and making this market a lot healthier.”
It’s hard to say what the CNIL’s next move will be, whether it will give companies in its jurisdiction a little time to absorb its guidance on consent and get their own houses in order before making an example out of any other entities – but that’s not the only uncertainty, said Ronan Tigner, an associate at Morrison & Foerster who is focused on data privacy and security.
“We are still waiting for the reform on the ePrivacy regulation governing cookies and similar technologies used in the ads context, which isn’t likely to be finalized before the end of 2018, early 2019,” Tigner said. “There are potential impactful changes, such as more acceptance for consent through browser settings and new explicit consent exemptions, such as cookies for audience measuring or security updates – so, we may be looking at awareness raising and a gradual build-up for now until those rules are known and industry solutions stabilize.”
Fidzup, the other French location data company called out along with Teemo by the CNIL in its warning, is making progress towards compliance with the development of a consent management platform. CNIL reps are cooperating with Fidzup to test the platform, said COO and co-founder Anh-Vu Nguyen. Fidzup is awaiting a final decision from the CNIL about whether it’s efforts meet “all the expected criteria,” Nguyen said, but the company is “optimistic.”