CNIL'S decision on vectaury – focus on consent in the mobile app AdTech context

By Gabriel Voisin, Antoine Piquet

11-2018

Vectaury is the fourth mobile centric AdTech company to be investigated by the CNIL (the French Data Protection Authority) this year. The decision (which can be found here) is an enforcement notice giving the company 3 months to comply with the CNIL requirements. It follows others issued by the CNIL against Fidzup, Teemo and Singlespot.

In the notice, the CNIL sanctions the lack of compliant consent mechanisms in the audited apps but more significantly it analyses the proposed new consent process proposed by Vectaury.

The key points are as follows:

  • "Fear of missing out" techniques in consent statements are not an option

The CNIL is of the view that the proposed new consent statement to be displayed to users (please see an unofficial translation at the end of this article) is deceptive.

Indeed, according to the CNIL, the wording could "lead the user to believe that his refusal to allow his data to be collected and processed will lead either to a paid business model or to the inability to use the app".  In addition, the CNIL stated that this text may also lead the user to think that "refusing to collect his data will make the ads displayed more intrusive".

As a result, data controllers will have to be particularly careful when (re)drafting their consent statements going forward.

  • Plain language is required when describing the purposes of processing

Following from the above, the CNIL found that the description of purposes was drafted in "unclear terms" not allowing users to "understand what they are consenting to".

The authority takes the example of the personalisation activity which is described as the "collection and processing of information in relation to your usage of this service in order to subsequently send you personalised advertising and/or content in other contexts, for example on other sites or applications. Generally, the content of the site or application is used to deduce what are your interests, which will be useful in subsequent advertising and/or content selections."

According to the CNIL, this definition is difficult to understand and does not allow for the expression of informed consent. The CNIL goes on to say that: (i) the wording is imprecise and encompasses too many scenarios; and (ii) "given the complexity of the terms used, its drafting is not adapted to the general public ".

In a summary, wording and descriptions of purposes require particular attention as they must be as simple/accessible as possible.

  • Partners relying on consent must be clearly named on the face of the consent statement

Pursuant to the Article 29 Working Party (predecessor of the EDPB) guidelines on consent (WP 187) quoted by the CNIL ("in a case where the consent sought is to be relied upon by multiple (joint) controllers … who wish to rely on the original consent, these organisations should all be named"), the CNIL is of the view that the new consent process buries the identity of the partners relying on users' consent too deeply inside the consent management solution.

Indeed, the proposed revised consent statement only makes a generic reference to 'partners'. The user must take the additional step of clicking on the button "Manage my preferences" to see the names of these partners.

As a result, the CNIL has found that the user does not have enough information regarding the third party controllers receiving their personal data at the time where they are asked to consent.

To comply with the CNIL's requirements, organisations will: (i) need to spell out the names of their partners (i.e. those parties acting as data controllers and also relying on consent as a legal ground to process users' data) in their consent statements; or if this is a long list, (ii) include a link in the word "partner" redirecting the user to a page where all other data controllers/partners processing data are listed.

As noted by the CNIL in the second part of its decision, this point is especially relevant (but is also practically challenging) in the programmatic advertising arena when data controllers (especially on the demand side) rely on consent as a legal basis for processing users' data.

  • Global Apple (iOS) and Google (Android) native consent mechanisms need to be more specific

Operating systems in mobile devices increasingly restrict access to protected data (e.g. contacts, photos) and resources (e.g. geolocation, push notification). Mobile apps can request access on a case-by-case basis, providing an explanation for why they need access. Ultimately, the user decides whether to grant or deny the request (e.g. in iOS when an app wants to access location details via the GPS of the device the following pop up will always appear, "Allow "App_Name" to access your location while you are using the app? [Dont' allow] [Allow]").

The CNIL does not question the possibility of having a general acceptance/refusal option, however it states that such functionality "cannot be presented to the user without an explanation of the different purposes of processing [which need to be] brought to his attention". If this is not clearly explained then "the user would give global consent to several processing activities he has not been made aware of and therefore for which specific consent has not been requested".

Therefore consent mechanisms must indicate the existence of several processing activities/purposes where relevant. For instance, if geolocation details are used to locate the user of car-pooling mobile app so that the user can find their vehicle and this information is also used to provide the user with geo-targeted advertising, both activities/purposes must be mentioned in the consent statement (not just the first one).

  • Don't pre-select choices when users go to the "Manage my preferences" area

In the proposed new consent process put forward by Vectaury, the CNIL noted that if a user decides to select the [Manage my preferences] option, all the purposes on the preference page are pre-ticked by default. This does not constitute a valid consent. Instead, in the view of the CNIL, in such cases, all the purposes presented on the preference page should be un-selected and left to the discretion of the user.

Consent statement presented to app users

French

English

Afin d’améliorer notre application et vous adresser du contenu et/ou des offres commerciales personnalisées, nos partenaires et nous-mêmes collectons vos données personnelles comme vos données de navigation ou votre position géographique.

Cela nous permet également de vous offrir un accès gratuit à notre service et nous nous engageons à diffuser des publicités dont les formats sont non intrusifs.

In order to improve our application and send you personalized content and/or commercial offers, we and our partners collect your personal data such as your navigation data or your geographical location. It also allows us to offer you free access to our service and we are committed to delivering ads in non-intrusive formats.

En acceptant, vous consentez à ce que nos partenaires et nous-mêmes puissions collecter et traiter vos données personnelles à des fins d’analyse et de publicité.

By accepting, you agree that we and our partners may collect and process your personal data for analysis and advertising purposes.

Vous pouvez changer vos paramètres de confidentialité à tout moment depuis les réglages de l’application.

You can change your privacy settings at any time via the application settings.

A link to the privacy notice of the app is then provided.

L’utilisateur se voit ensuite proposer 3 choix: [J’accepte]/[Je refuse]/[J’affine mes préférences].

The user then had 3 choices: [I agree] / [I do not agree] / [manage my preferences]

 

Si l’utilisateur choisit de personnaliser ses paramètres, le principe de la collecte des données est accepté par défaut pour les différentes finalités identifiées.

If the user chooses to manage his preferences then all the purposes are ticked by default.

 

Il devra alors décocher les unes après les autres les cases correspondant aux différentes finalités pour pouvoir s’opposer au traitement de ses données. Il peut, par un clic supplémentaire, accéder à la liste de tous les responsables de traitement traitant ses données, dont Vectaury, et peut s’opposer au traitement de ses données par responsable de traitement.

The user will then have to untick one by one the boxes relating to the different purposes if they want to object to the processing. The user can, by way of a supplemental click, access the list of all the data controllers processing their data including Vectaury and can object to the processing for each data controller.

 

Authors