French data protection agency CNIL has released an alert regarding two French data companies, Fidzup and Teemo, for failing to comply with the European Union’s General Data Protection Regulation.
These companies do business as location intelligence vendors. They are mainly involved in working online-to-offline advertising and measurement, using SDKs that help them gather accurate location data from partner applications. Fidzup and Teemo pay application publishers for supplying them with location data.
The public notices released by CNIL detailed the actions of each company, listing how consumer consent was obtained for use of location by the app partners but not for sharing that data with third parties. They added that consenting to the use of location by an application is not the same as consent for data collection in relation to advertising and marketing campaigns by third party companies.
The CNIL stated that the consent Fidzup and Teemo were using is not in line with the three main tests of consent under GDPR. Firstly, consent was not freely offered. This was due to the consent being thrown in with other things and users were not giving the choice of opting in to one type of data processing but opt-out of targeted advertising. Secondly, the consent provided was not specific as users were also not given the choice to consent (or not) to the specific collection and use of geo-location data for targeted advertising reasons or not.
Lastly, the consent given was not informed. This means that the application users were not asked for their consent prior to downloading the app and therefore were not told that their data would be used for targeting advertising. The geolocation data began being gathered as soon as the app was installed and therefore data subjects were not given a sufficient amount of information on downloading the app to inform them of this practice.
The CNIL has told Fidzup and Teemo to become GDPR compliant within 90 days if they wish to avoid being sanctioned with a fine. If they do not meet this deadline the penalties could be as high as 4% of annual global revenue or €20 million whichever figure is higher.