The General Data Protection Regulation (GDPR) is still driving most of the discussion surrounding data privacy and compliance as two companies are hit with notices.
French privacy and compliance regulator CNIL (Commission nationale de l’informatique et des libertés) has issued official notices to two French data companies: Fidzup and Teemo.
CNIL said that the reason both companies were issued notices was that they were non-compliant with consumer consent rules under the newly implemented General Data Protection Regulation (GDPR) and the French privacy law.
Both Fidzup and Teemo are location intelligence vendors that work with retailers and brands on online to offline advertising and tracking. Both companies have Software Development Kits (SDKs) that assist them in collecting persistent location data from partner apps.
CNIL discussed each company individually in its notices, which were made public. The bottom line for both the cases is that when the partner apps are downloaded, consumer consent was obtained for use of location by the app — but not for transfer of that data to third parties (Fidzup and Teemo), whose SDKs are already integrated into the apps.
CNIL also said that it is the issue of consent to use of location by the app that did not equal consent to data collection for advertising and marketing purposes by third parties. In Teemo’s case, CNIL found the company also retained its data too long for “processing.”
Both Fidzup and Teemo are required to come into compliance with GDPR laws within 90 days from the date of presenting the notice. Failing to do so, may result in sanctions.
“After a thorough technical and legal audit, Teemo has been fully certified in accordance with all the provisions of GDPR by a recognized and independent European privacy organization called ePrivacy GmbH,” Teemo said on its website.
“It is a very important formal warning. This is a leading EU regulator publicly acknowledging the sensitivity of precise geo-location data in the context of mobile apps. The CNIL notes that part of the reason they made this public was to inform privacy professionals of the issues related to this type of technology (SDKs). Many mobile apps integrate SDKs from third-party providers to enable location-based advertising or as a source of revenue for the publisher. The lesson that can be drawn from this, according to the CNIL, is that if consent is the legal basis for this kind of processing, users have to be informed of the specific identity of the partner(s) who are collecting location, and the advertising-related purposes,” said Future of Privacy Forum Policy Counsel Stacey Gray.