How a CNIL Opinion Changes the Way Advertisers Collect and Use Data

The National Commission for Informatics and Liberties (CNIL) issued an opinion against Vectaury that has severe implications for the way ad-network participants use data. CNIL determined Vectaury is a direct controller when using its Software Development Kit (SDK) to collect personal data, and because they rely on a pre-checked consent form that identifies Vectaury in a way that leaves the impression they are an indirect controller negates informed consent. Secondarily, CNIL determined Vectaury’s retention and use of ad-network bidding data a violation of French law and the General Data Protection Regulation (GDPR) because Vetaury relied on contracts between ad-network participants rather than actual consent logs. The decision means Vectaury is a controller processing personal data without consent or another legitimate basis. In its decision, CNIL ordered that Vectaury stop collecting or processing personal data and purge any data obtained without proof of valid consent.

The Vectaury decision has broader implications for third-party data collection methods and use of ad-network bidding data to improve internal processes. More importantly, Vectaury’s actions, in this case, are precisely the way most ad-network participants use the data they collect.

A little background: Who is Vectaury?
Vectaury is an account-based marketer gathering consumer (personal) data to identify target audiences (data subjects) and placing advertisements for businesses looking to sell goods or services. Vectaury identifies target audiences with an SDK embedded in a partner’s cell phone application code.

An SDK is code integrated by an application publisher that allows personal data collection from a data subject’s cellular phone. In a real-world example the application is the travel or game app on your phone, the SDK operates in the background and may serve targeted ads when the application is open or collect data. Vectaury uses the personal data to cross-reference known points of interest and compile a consumer profile for use in website advertisement bidding.

The many ways an SDK invalidated consent
The first issue CNIL identified is the use of pre-selected data collection settings. At application launch, data subjects see a disclosure that their personal data is subject to collection. A link to the publisher's privacy policy is provided, allowing the data subject to accept, reject, or customize their preferences. If the data subject chooses to customize processing they have to scroll the entire text to access a preference link. Otherwise, data options are set to allow collection by default. 

Unfortunately, using pre-accepted or default collection options results in inactive or silent acceptance; and that automatically negates consent under French law and GDPR. GDPR Recital 32 states explicitly, “[S]ilence, pre-ticked boxes or inactivity should not therefore constitute consent.”

The second consent killer is the way data is collected through their SDK to a Vectaury repository, by accessing and transmitting data to their repositories Vectaury is a direct rather than indirect controller. However, under the processing disclosure data subjects are not informed that Vectaury is collecting their data. Instead, Vectaury’s identity is disclosed only when customizing consent settings and even then after clicking through two hyperlinks. According to CNIL, from a data subject’s perspective, Vectaury is described as an indirect controller receiving data from the application publisher. The distinction is subtle yet operationally correct if Vectaury’s SDK is transferring data directly to a Vectaury repository without an intermediary.

CNIL’s position negating consent under these circumstances rests on a Working Party 29’s opinion 15/2011 requiring direct controller identification for consent formation, especially if multiple controllers intend to rely on that consent. Under this fact pattern, Vectaury is identified as a potential controller after multiple clicks and should instead have been identified as a direct controller in the processing disclosure.

Can you use bidding data after the auction?
Vectaury is a member of the Interactive Advertising Bureau (IAB) that relies on the Transparency and Consent Framework when collecting data through the ad-network. The IAB approach to consent management relies on contractual obligations that ensure participating controllers have access to the data subject’s consent record on request. When bidding through the ad-network personal data is transferred from the supply-side controller through intermediaries as part of the bidding process. Demand-side controllers receive personal data to decide whether and how much they intend to bid to place targeted advertising in front of the data subject.

Vectaury like nearly all other ad-network participants retains this bidding information to analyze and refine their bidding process. Vectaury has two purposes for processing bidding data: (1) improving their auction bid process and (2) updating their version of the data subject’s consumer profile. Vectaury relies on the IAB’s system of contractual relationships as their basis for demonstrating valid consent.

Unfortunately, during CNIL’s audit, those entries relying on the IAB framework are invalid. Why? Under GDPR Article 7 a controller must have a record of expressed consent for all the data it processes, and that means for every personal data entry there must be a corresponding consent record. The GDPR obligation is not satisfied by a contractual clause guaranteeing valid consent records from a completely separate controller. Recital 42 clearly states the controller's responsibility is to, “demonstrate that the data subject has given consent to the processing operation.” GDPR and Recital 42 make it very clear there is a one-for-one requirement that cannot be satisfied with a participant contract.

What does this mean for the ad-networks?...

Read The full Article

0 Comments Write your comment

    1. Loading...