The French Supervisory Authority for Data Protection ("CNIL") has issued a formal warning to the start-up company Vectaury, according to which the company has failed to meet the conditions for valid consent under the GDPR. Vectaury is an advertising network that buys online advertising space for its customers (advertisers) and offers them a tool that enables them to collect geolocation data on devices and browsers of users, and, in turn, processes, for profiling purposes and advertising targeting, geolocation data that it receives via real-time bidding offers, in order to allow the company to purchase advertising space.

CNIL ordered the company delete all data obtained on the basis of invalid consent, and noted that the entire industry should view this case as an example. CNIL has become very active lately in the field of behavioural advertising, as this is the second time within a few months that CNIL has issued a formal warning relating to this type of issue (see our related report here). In both cases, CNIL's enforcement action was focused on the advertiser and not on the publisher.

CNIL stated that Vectaury is unable to demonstrate that the data it collects through real time bid requests is subject to informed, free, specific and unambiguous consent. Although the company provided a short notice explaining that the application collects users' data for the purpose of targeted marketing, and offered users three options - to accept, refuse, or customise their preferences - CNIL stated that Vectaury does not comply with the GDPR requirements, based on the following findings:

  • The information provided was insufficient, as it was unclear, used complex terms and not easily accessible;
  • Users were not asked to consent to the processing of their geolocation data specifically; and
  • The consent obtained was not based on an affirmative answer, as the options were pre-ticked.

During the investigation, the company claimed it used a template framework for its consent flow that had been created by the Interactive Advertising Bureau ("IAB"). However, CNIL found that the information provided and the consent obtained using this tool, did not meet the GDPR's requirements for consent. IAB argued in response that Vectaury did not correctly implement the "Transparency & Consent Framework-complaint" consent management platform ("CMP") framework and that had it been implemented correctly, some of the most problematic issues raised by CNIL would have been addressed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.