Since the introduction of the GDPR in May 2018, the Information Commissioner (ICO) has yet to take action in relation to any complaints under the new rules, with most of its recent enforcement decisions relating to matters which occurred before the GDPR came into force.
However, the regulatory authority in France – the Commission Nationale de l’Informatique et des Libertes (CNIL) has recently taken action against two companies under the GDPR in relation to improper consent for use of geo-location data. Their approach is interesting to note, as guidelines intend that a consistent approach to enforcement is adopted across Europe. It also provides an insight into the level of consent required under the GDPR.
The CNIL decision relates to two companies (“Teemo” and “Fidzup”) which used geo-location data to provide targeted advertising to customers. Essentially, these companies offer a tool which enables their customers to collect geo-location data from their customers or mobile app users, which allows them to provide targeted advertising based on certain identified points (such as their stores, competitor stores or places of interest). This processing was based on consent obtained by the app operator to process the customers’ personal data.
The CNIL concluded that the consent relied on did not meet the requirements under the GDPR. The GDPR requires that consent is freely given, specific, informed and unambiguous. The consent relied on by Fidzup and Teemo was considered not to be so for the following reasons:
- The consent was not informed because information about targeted advertising was not provided until the app had been downloaded, at which point geo-location data had already been collected. Where a customer already had the app at the point the companies’ services were engaged by the app provider, the tool started applying following an app update without any information being provided about the change to the privacy policy
- Consent was not freely given because the consent in relation to the advertising tool was bundled together with consent obtained for other processing activities. Essentially, to use the app the customer had to consent to all processing and could not choose to use the app without the targeted advertising tool applying
- Similarly, the consent was not considered to be specific enough as users were not asked to specifically consent to the use of data for targeted advertising.
The CNIL also found that Teemo was retaining the data collected for a period of 13 months, which was considered to be excessive.
The CNIL's decision
The CNIL issued both companies with formal notices requiring them to take steps to be compliant with the GDPR in three months. If they fail to comply, the CNIL may impose a penalty.
This approach by the CNIL indicates a degree of leniency given they have allowed time for the companies to become compliant, with no further action being taken if they achieve this. However, it also indicates the willingness of authorities to take action to hold companies to account.
This is also a helpful indication of the type of considerations being looked at when considering consent and whether it meets the standard required by the GDPR. The findings of the CNIL show that, if relying on consent as the lawful basis for processing data, specific consent for different uses of data may be necessary, and that bundling consent to the extent that a person cannot use the service without consenting to all types of data processing (even if not completely necessary to provide the service) may be a practice which cannot continue under GDPR.
Contact our expert GDPR Solicitors, Glasgow
Miller Samuel Hill Brown can assist with further advice on the GDPR and how it might affect your business, and in providing contracts and policies which might be required. Please get in touch on 01412211919 to discuss how we can help you.