France's data protection authority published a formal warning to two French companies regarding their geolocation data collection and retention practices. The warning provides some clarity on the GDPR's consent and data retention standard.
In late July 2018, France's data protection authority, the Commission Nationale de L'informatique et des Libertés (CNIL), published a formal warning to two companies — Teemo, Inc. (Teemo) and Fidzup SAS (Fidzup) — that allegedly collected and retained geolocation data in violation of the EU's GDPR.2 The CNIL did not impose any fines on the companies, but stated that Teemo and Fidzup may be subject to penalties if they fail to obtain valid consent from data subjects and set an appropriate retention period for geolocation data within three months.
Teemo and Fidzup's Personal Data Practices
Teemo and Fidzup provide software development kits (SDKs) that can be used in mobile applications to track the locations of users for purposes of sending targeted advertisements. Teemo's SDK enables the collection of users' geolocation data every five minutes. Fidzup's SDK makes it possible to send targeted advertisements to users' mobile phones whenever users are near a point-of-sale system installed by Fidzup.
Teemo and Fidzup maintained that they had received users' consent to collect and process geolocation data. However, the CNIL performed audits and determined that the companies did not obtain users' consent in a manner that would satisfy the GDPR's requirements.
The CNIL found that users who downloaded mobile applications that incorporate Teemo's SDK generally did not receive notice of Teemo's geolocation data collection practices. When users downloaded a mobile application that included Fidzup's SDK, the CNIL found that users generally did not receive any information about Fidzup's purpose for collecting geolocation data or other information required under the GDPR. The CNIL also found that users could not download mobile applications without the SDKs and that users consented only to data processing by the mobile application provider and not for targeted advertising purposes.
Data Retention Under the GDPR
The CNIL's warning to Teemo also provides some insight into how the CNIL views data retention practices under the GDPR. With some limited exceptions, the GDPR requires that personal data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. The GDPR offers little guidance on how that determination should be made. In its warning, the CNIL stated that by retaining geolocation data for 13 months, Teemo violated its obligations under the GDPR to define and respect a data retention period proportionate to the purpose of the processing.
The CNIL noted that the use of geolocation devices is particularly intrusive with regard to individual freedoms, given that such devices allow companies to follow users permanently and in real time, but did not expressly explain why 13 months is too long a period of time to retain geolocation data for targeted advertising purposes.
The warning to Teemo and Fidzup provides some early insight into how data protection authorities like the CNIL may approach GDPR enforcement with respect to the consent and data retention requirement. Companies that must comply with the GDPR should continue to monitor warnings and enforcement actions by EU data protection authorities to inform their data processing practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.