“Pardon My French, AdTech!” — CNIL’s GDPR Grin

Can we please get some privacy on our mobile? (Image: Pixabay, edited)

French authority orders advertising startup Vectaury to delete its users’ data and get a real consent going forward. Can AdTech survive GDPR?

On the morning of October 30th, 2018, Paris saw its first drops of rain after a sunny summer. Those drops couldn’t foresee the flood that CNIL, the French data protection and privacy regulator, was going to pour over the global AdTech industry by its decision that day. On November 8th, the decision was made public. In the case of Vectaury, a Paris-based AdTech startup, CNIL ordered the company to delete all data it has collected about mobile users without proper consent, and to get an informed and specific consent going forward and within 3 months, or else…(!) CNIL will take additional measures (such as unleashing the mighty fines of GDPR and potentially liquidating into thin air a fair amount of the €20 million that the startup had raised just a month earlier).

“Did you hear about CNIL?” asked me one AdTech exec last week. “Is it a French thing, or are we in trouble too?” The Vectaury decision sent waves of worry across the AdTech industry worldwide, and for a good reason. The practices of the poor French startup are no different than those of many other industry players, who keep our Internet free by molesting every shred of privacy we still hallucinate we’ve got.

For those not familiar with Vectaury, here’s a useful abbreviation (it’s probably not totally accurate as my French is rusty). Vectaury was quite successful in getting its mobile advertising SDK (a piece of software within an app) into 32,000 mobile apps used by a whopping 42 million people (or Advertising IDs). All these apps had users agree to terms they’ve never read to track their location at all times, even when they’re not using the app, and send their details to unnamed advertising partners. Users got 3 options — Install (“Yeah, sure, tell the world where I’m at!”), Cancel (and you won’t get the app either), or Settings, where the sophisticated user could tick off some pre-checked boxes. If people installed the apps, Vectaury’s SDK would track their every move, display a retailer’s advertisement the moment they walked by a store, or let advertisers bid real-time on placing advertisement on the users’ screens based on their location and profile.

CNIL didn’t like it. They ruled that the SDK and its exact uses and purposes were not mentioned in the terms users “agreed” to with their single click, that there was no real separation between the app and the SDK (so a user could use the app without agreeing to the advertising practices), that the identity of Vectaury was not disclosed, that data was collected regardless of the user’s choice, and that there wasn’t a valid legal basis for the processing of personal data, which risked people’s liberties by revealing their movements and lifestyle. CNIL determined that people weren’t aware of the risks to their privacy and weren’t able to exercise their GDPR rights. Therefore, whatever consent the company claimed was given, was not informed, not specific and not affirmative as consents ought to be nowadays, in the GDPR era. And if there’s no real consent, then the company needs to purge whatever personal data it has gotten.

Advertising SDKs are common as mushrooms after the rain. Vectuary is still a small player in the playground of Google’s AdMob, StartApp, InMobi, Flurry, Leadbolt, and others whose SDKs are used millions, if not billions, of times every day. Only God, and maybe the VP of R&D at each company, knows what information exactly their respective SDKs collect. Even God doesn’t know whether their practices are GDPR compliant and what a Data Protection Authority would decide if and when their case would be brought to justice (but he has a hunch).

I got to tell you — Vectaury really tried. I’m not being cynical. Around the time GDPR was announced in 2016, the company already appointed a Privacy Manager. They implemented a Consent Management framework that IAB Europe, an industry association, had developed to comply with GDPR, gave users an extra Settings option, and got their website smeared with so much privacy and data protection lingo that you might think they’re a privacy law firm doing the best SEO ever, and not the AdTech company that they are. “Privacy is in the company’s DNA,” no less. They develop with “Privacy by Design” for years, maybe before this term was even coined. The “privacy of users is common sense and ethics and not just a legal obligation,” their CEO blogged. OK, reading their statements, I can’t avoid some cynicism. Pardon.

Anyway, all this work didn’t suffice. CNIL said they don’t get real consent, and even IAB Europe quickly turned back on them, saying Vectaury violated not only GDPR, but also violated IAB’s policies. Now poor Vectaury will undergo another investigation, by IAB, who might punish them a second time (no speaker keynote at our next conference!).

What Does the CNIL Decision Mean for the AdTech Industry?

Is there a way for advertising startups to sail across the GDPR troubled waters without sinking? If someone tells you he has the answer, you might be facing God. Most chances are that you’re facing a false prophet. However, anyone can echo his or her opinion — free speech is also a basic human right, which contributes to human progress. Let me tell you what I think, because you read this far :-)

I think the ruling sends the message that advertising, at its core, does more bad than good. Advertising as a monetization model is not a good enough reason (or “legitimate interest” as GDPR puts it) to do whatever technically possible to grab and sell personal data. There needs to be a better balance where consumer interests get more weight. Yes, free apps sponsored by AdTech are great. But so is free choice. So is freedom to wander around without being spied on and bombarded with ads that creep us out in their psychic accuracy.

Another conclusion I make is that getting consent for advertising is going to get increasingly hard, before it gets better. Broad and vague legal clauses that allow data controllers to do whatever the hell they want with users’ data no longer hold water. The default Android and iOS consent windows, where boring terms of use and privacy policies are elegantly concealed under small-font links, failed the test for getting informed consent, at least for AdTech SDKs.

There’s also a silver shining though. Vectaury didn’t get fined, yet. CNIL could have yanked them of the entire €20 million they raised as a GDPR fine, but it didn’t take a cent. It asked politely that they think of a better way to get consent for their use of geolocation monitoring and real-time bidding for personal data. That’s nice. Companies that don’t comply with GDPR can (sometimes) get another chance to make amends. Also, eventually, the authorities would have to give their blessing to some advertising consent arrangement. Advertising is a $500Bn market that moves the world — all Internet giants we love and hate make their billions by surrendering our privacy to advertisers.

The Formula for a GDPR-compliant AdTech Consent

Unlike the Tables of the Law, the formula for a GDPR-compliant AdTech consent mechanism has not descended upon us from heaven (because there are no ads in heaven). However, here’s what I would advise my AdTech clients if I were in their fancy yet trembling shoes:

1. Be frank. If you’re going to do awful things with people’s information, say so. Worst case, TechCrunch will run a story about your shady policy. More likely, people will still click “I agree” to get that freebie and dopamine rush.
2. Talk at eye level. Legal language is a thing of the past when it comes to privacy policies. To get an informed consent, you have to speak clearly in everyday English (or whatever language your customers speak). Explain what you do with users’ personal information in a way they’d understand, so they can say “that’s fine” or “over my dead body.” Don’t worry, most of us will still agree to everything without ever reading.
3. Be specific. Don’t use broad terms that capture everything (like “advertising,” “commercial purposes,” or “any legitimate interest we might think of from time to time.”) Instead, give concrete examples for you actually do with data. Ask your smart product manager to list all user stories from the foreseeable roadmap, and update your policy when your engineers discover a new way to undress us of privacy.
4. Popup the basics. Since no one reads lengthy terms and policies, give your business another safety cushion before it hits GDPR. Upon the first run of the app or service, display a slick-UI popup and ask users nicely to agree to the most problematic uses of personal information. Let them decide if it’s worth it.
5. Unknow them. To present an ad to a person as she’s walking by The Gap on Fifth Avenue, you don’t have to know her name, what she likes on Facebook, where she lives, and her every move. In the world of post-GDPR big data, companies needs to also think small. It’s a person using an iPhone X in Manhattan and watching our ad on Tinder at 11pm. So it’s not my grandpa. One down. Which ad might fit? Seriously, what 5 attributes account for 95% of improved Click-Through-Rates? Advertisers hardly use most targeting options and clicks are ever so random. How can we minimize data collection to avoid personally identifiable information (PII) like the plague? If we don’t know who users are and can’t deduct it (e.g. by constant geolocation tracking), then GDPR doesn’t care. Determining shopping preferences by connecting a thousand unrelated dots is anyhow stupid. Even we don’t know what we’re going to shop for.

“Hi there! To keep our app free, we use a piece of software that tracks your location, also when not using the app, and lets advertisers compete for your attention with relevant offers. Read our privacy policy to know more about how we use your data. If that’s OK, click “Agree” or “Nope” to get random ads. Either way, enjoy our app!”

Now that wasn’t too hard. Was it?

— -

Adv. Oded Israeli (LL.M., MBA) is a lawyer, marketer, product manager, and consultant, helping companies deal with GDPR in a practical, holistic way. GDPReady quickly analyzes your readiness and builds a tailored plan for compliance where it matters. Send me an email if you want to schedule a free consultation call.

Originally published at https://www.linkedin.com.