Two French location data companies receive GDPR consent warnings
The companies were obtaining user location data from app publishers, but consumers were not told about that usage.
The French privacy regulator CNIL recently issued official notices to two French data companies: Fidzup and Teemo. CNIL said that both companies were non-compliant with consumer consent rules under the General Data Protection Regulation (GDPR) and French privacy law.
Both are location intelligence vendors that work with retailers and brands on online-to-offline advertising and measurement. Both companies have SDKs that help them collect persistent location data from partner apps.
App publishers are paid for their location data (and other data) by companies such as Fidzup and Teemo. This is a common model in the US market and outside the US, as in this case.
Anonymous location data captured without specific consent
CNIL discussed each company individually in its notices, which were made public (and provided to us by the Future of Privacy Forum). Each company was dinged in slightly different ways. However, the bottom line for both was that when the partner apps were downloaded, consumer consent was obtained for use of location by the app — but not for transfer of that data to third parties Fidzup and Teemo, whose SDKs were integrated into the apps.
In other words, users were not being asked to consent to the use of their location data by someone other than by the app publisher, even though that was happening. CNIL said that consent to use of location by the app did not equal consent to data collection for advertising and marketing purposes by third parties. In Teemo’s case, CNIL found the company also retained its data too long for “processing.”
Both companies are required to come into compliance with GDPR within 90 days. If the companies cure their consent defects CNIL said there would be no penalty. However, failure to comply will potentially result in sanctions. There was no discussion of potential liability on the part of the app publishers.
Broader implications for the third-party data ecosystem
I asked Future of Privacy Forum Policy Counsel Stacey Gray about the significance of the notices and their implications for the broader market. Here’s what she said:
It is a very important formal warning. This is a leading EU regulator publicly acknowledging the sensitivity of precise geo-location data in the context of mobile apps. The CNIL notes that part of the reason they made this public was to inform privacy professionals of the issues related to this type of technology (SDKs). Many mobile apps integrate SDKs from third-party providers to enable location-based advertising or as a source of revenue for the publisher. The lesson that can be drawn from this, according to the CNIL, is that if consent is the legal basis for this kind of processing, users have to be informed of the specific identity of the partner(s) who are collecting location, and the advertising-related purposes.
On its site Teemo says that it fully complies with GDPR:
After a thorough technical and legal audit, Teemo has been fully certified in accordance with all the provisions of GDPR by a recognized and independent European privacy organization called ePrivacy GmbH.
Fidzup also stresses that it is privacy safe, though not in the same explicit fashion as Teemo. It also says that it uses only anonymous data and “doesn’t know who you are.” It offers an opt-out provision on its website. GDPR requires explicit opt-in consent.
One quick conclusion to draw is that the use by third parties of “anonymous” location data is not compliant under GDPR if there’s been no underlying consumer consent. And consent to one use of location by a first party does not translate into consent to secondary uses by others.
GDPR consent requirements for third parties
As attorney Gray notes above, it appears that GDPR is going to require mobile developers that seek to sell or otherwise transfer location data to third parties to provide:
- Notice of the third party intended use.
- Exposure of the identities of the third parties.
- The intended purpose of the third party usage (e.g., advertising).
Assuming that’s correct, users are going to be much less likely to consent to the third party uses. In other words, people are happy to give a weather or mapping app permission to use their location, but are unlikely to allow their data to be transferred to third parties for advertising or tracking purposes — even with assurances that it’s all anonymous.
Until the precise language and notifications to consumers are worked out it creates a cloud over the European location data ecosystem.
These examples are noteworthy because these are modest-sized companies that some people thought would largely escape near-term GDPR scrutiny. It also reinforces the notion that Google and Facebook have a tremendous advantage because they can directly ask for consent for the use of data across their properties and ad networks.