CNIL, the French ICO, has ordered a marketing company to delete the 67 million records it holds.
Vectaury, a Paris-based marketing company, operated by persuading mobile app producers to include a proprietary piece of code in their apps. Once loaded onto a user’s phone, the Vectaury code would send geolocation and other user data to Vectaury, which would then auction real time access to the users’ mobile phones to advertisers. The advertisers would then send targeted ads to user’s phones based on the user’s location and other attributes.
The CNIL reviewed how Vectaury collected user data. It concluded that:
- Vectaury’s disclosures to individuals were not sufficiently transparent,
- Consent was not validly obtained.
Because the user data had been unlawfully obtained, it ordered Vectaury to destroy the records: all 67 million of them. This decision is sending shockwaves through the world of adtech.
For a good article on this case: https://techcrunch.com/2018/11/20/how-a-small-french-privacy-ruling-could-remake-adtech-for-good/.
The CNIL’s decision is set out below in English (translated by Google Translate, so with some idiosyncracies).
National Commission of Computing and Freedoms
Decision no. MED-2018-042 of 30 October 2018
Decision n ° MED 2018-042 of October 30th, 2018 enforcement notice against the company VECTAURY
State: VIGOR
The President of the National Commission for Informatics and Liberties,
Having regard to the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data;
Having regard to Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealed by the Regulation ( EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data;
Given the Penal Code;
Considering the law n ° 78-17 of the modified January 6th, 1978 relating to the computing, the files and the freedoms, in particular its article 45;
Considering the decree n ° 2005-1309 of the modified October 20th, 2005 taken for the application of the law n ° 78-17 of January 6th, 1978 relating to data processing, files and freedoms;
Considering the deliberation n ° 2013-175 of July 4th, 2013 adopting the rules of procedure of the National Commission of computing and freedoms;
Considering the decision n ° 2018-022C of March 30th, 2018 of the President of the National Commission of computing and liberties to charge the Secretary general to proceed or to make carry out a mission of verification near the company VECTAURY;
Considering the minutes of control n ° 2018-022 / 1 of April 19th, 2018 and n ° 2018-022 / 2 of April 20th, 2018;
Considering the other parts of the file;
The company vectaury (hereinafter the company), located at 33, rue Lafayette in Paris (75009) is a simplified joint stock company specializing in computer programming and in particular the publishing and sale of computer tools. It employs 56 people and achieved a turnover of around 3.2 million euros in 2017.
The activity of the company VECTAURY is to display advertisements on behalf of its customers advertisers, on the computers of people whose profile is determined from their geolocation data. The company also has the activity of measuring the visits of mobile users [1] in the points of sale of its customers.
May 23, 2017, the Company made to the National Commission on Informatics and Liberties (CNIL below or the Commission) a commitment to comply with the simplified standard n o 48 of 21 June 2012 regarding the treatment automated personal data relatingto the management of customers and prospects (declaration no. 2066435).
It also appointed a Data Protection Officer on 28 March 2018.
Under Decision No o 2018-022C 30 March 2018 the President of the Commission, a delegation of the CNIL conducted on 19 and 20 April 2018 to control missions on the spot in the VECTAURY society. The missions especially been intended to verify compliance with the law n o 78-17 of 6 January 1978 relating to computers, files and liberties (hereinafter Data Protection Act or Law of 6 January 1978 ) of all the processing of personal data implemented by the company.
The goal of VECTAURY is to establish the profile of mobile users based on their travel habits in order to offer them targeted advertising.
In this context, the company has concluded contracts with 5 partner companies that publish 19 widely distributed mobile applications (such as […]). It has also identified points of interest (hereinafter POIs) that correspond to geographic coordinates of places that reveal a consumer profile, such as physical outlets. Subsequently, the company VECTAURY carries out marketing campaigns through the purchase of advertising space on behalf of companies (mainly store signs such as […] or […]), through the auction of advertising space in real time.
In order to carry out this service, the company indicated, during the inspection, that it has developed an SDK software , integrated by its partners in their mobile applications and which makes it possible to collect the geolocation data as well as the mobile advertising identifier, the name and the version of the mobile application and the operating system used (ANDROID or IOS). The data collected through the SDK is then cross-referenced with the POIs determined with the VECTAURY advertiser customers, which qualifies the user’s profile for the desired advertising targeting. These data are kept by the company within the database using the tool […].
As a first step , the SDK is integrated into the mobile application code of these VECTAURY partner companies, such as […] or […] in order to collect in the background and transfer to the company the operating data of the VECTAURY companies. applications installed by users on their computers.
Secondly , the geolocation data collected through the SDK are cross-referenced with the POIs determined by the partners of the company, which allows to establish the profile of the user.
Thirdly, the company carries out marketing campaigns through the purchase of advertising space on real-time advertising auction platforms, also called bid requests.
The bid requests system allows mobile applications to find an advertiser to display advertisements on the ad slots it includes. To do this, the applications send to third-party companies geolocation data and the mobile advertising identifier of the ordiphone to display the advertisement.
These third-party companies (in this case, […] and […]) send auctions to VECTAURY (and several similar companies) in order for it to purchase the space and broadcast the advertising of its customers.
In order for VECTAURY to estimate the value of the advertising space for its customers and place a bid, companies […] and […] transmit to it the various data they have received from the application where the advertisement will be displayed. These data are kept by VECTAURY. This relationship is governed by contracts between VECTAURY and the companies […] and […].
VECTAURY is also active in measuring the visits of mobile users to the physical outlets of its partners. The data collected via the SDK and the bid requests allow the company to check if each mobile targeted by advertisements has visited a physical point of sale. This activity allows him to measure the performance of his advertising campaigns.
During the inspection on 19 and 20 April 2018, the company informed the delegation that the data collected via the SDK and the bid request are shared within the same database.
The delegation found that the company keeps in the same database 24 688 863 advertising identifiers recovered through the bid requests to which the company responded and 42 934 160 distinct identifiers recovered through bid requests to which the company did not respond. . These identifiers are kept in a field called VUID, in the form of a truncated hash [3] .
In addition, the Delegation noted that there were 5,150,201 advertising identifiers retrieved via the SDKs installed on the mobile applications of its partner publishers.
Each of these advertising identifiers is directly linked to the ordiphone of a person who has downloaded a mobile application from one of the partners or an application from which a bid request emanates.
In addition, the delegation noted, on several controlled mobile applications integrating the SDK VECTAURY society, when the user of a device validates the authorization of access to its geolocation data for the operation of the application, his data are also transmitted to the company VECTAURY without his being specifically informed and without his consent being collected for this transmission.
The delegation noted that geo-location data collected by the SDK are kept for 12 months from the date of collection. It was also found that data collected via bid requests are kept for twelve months. The company told the delegation that these data are kept whether it has bid or not.
Following requests by the delegation at the end of the control, the company made additional elements, by email of 1 st June 2018, in particular concerning mobile users of the information in the general conditions of use and mobile applications the establishment of a tool ( consent Management Platform) aimed at collecting evidence of the collection of people consent. It also provided the Commission, by e-mail, with additional information on how to obtain the consent of individuals, the last elements having been received on 26 October 2018.
II- The concept of controller and personal data
On the quality of the controller
According to article 3-I of the amended law of 6 January 1978, the person responsible for the processing of personal data is, unless specifically designated by law or regulation relating to such treatment, the person, the authority the service or body which determines its aims and means.
In view of the observations made by the CNIL and the elements communicated after the inspection, it appears that the company VECTAURY determines to a large extent the purposes and the means of the treatments implemented in the context of the use of the SDK and the devices of auction of real-time advertising (bid requests).
Indeed, it is clear from the documents sent to the delegation that the company handles for its own account the personal data collected via the SDK to sell analysis or profiling services to its customers.
In addition, the delegation was informed that the data of the users of the various mobile applications collected are registered in the same database, which the delegation noted.
Finally, the company VECTAURY told the delegation to consider itself as controller.
The company VECTAURY must, therefore, be regarded as responsible for the processing implemented in the context of the use of the SDK.
On the collection of personal data
Under Article 2 of the amended Law of 6 January 1978, personal data is any information relating to a natural person identified or which can be identified, directly or indirectly, by reference to an identification number or a or several elements of its own. In order to determine whether a person is identifiable, all means must be considered in order to enable his identification which is available to or to which the controller or any other person may have access.
In addition, any transaction or set of transactions involving such data, irrespective of the process used, including the collection, recording, organization, storage, adaptation or the modification, extraction, consultation, use, communication by transmission, broadcast or any other form of provision, reconciliation or interconnection, and the locking, erasure or destruction.
The delegation noted that the company VECTAURY collects, via the SDK installed within mobile applications and via automated devices for buying online advertising (bid requests), the advertising identifier of the ordiphone associated with the geolocation data of the person as well as technical data relating to the ordiphone.
The advertising identifier is a unique identifier generated by the operating system of the ordiphone to identify the terminal of the user stably in time. It is available to all mobile applications installed on it and is also accessible to the various SDKs installed in mobile applications.
This advertising identifier is stored permanently in the user’s computer and thus makes it possible to identify the user indirectly. It is intended to identify the user in order to associate an advertising profile made from its geolocation data. It therefore makes it possible to identify the user during his later use of other mobile applications on his phone in order to associate his advertising profile and to display advertisements specifically chosen according to his travel habits.
It follows that the company processes personal data pursuant to Article 2 of the law of 6 January 1978 as amended.
III- On the shortcomings noted with regard to the provisions of the law of January 6, 1978
Failure to provide a legal basis for the implementation of the treatment
- Regarding data from the SDK of VECTAURY
The delegation was informed that the company is collecting geolocation data from people using the SDK embedded in mobile applications downloaded by mobile users. Subsequently, geolocation data is cross-referenced with POIs in order to qualify the profile of individuals and to carry out advertising soliciting operations with them.
However, such a combination of the personal data of mobile users for advertising purposes, can only intervene if the company is entitled to any of the conditions laid down in Article 7 of Law n o 78-17 of 6 January 1978 amended, which provides that:
Processing of personal data must have the consent of the data subject or one of the following conditions:
1 ° Compliance with a legal obligation incumbent on the controller;
2 ° safeguarding the life of the person concerned;
3 ° The execution of a public service mission of which the controller or the addressee of the treatment is invested;
4 ° The execution of either a contract to which the person concerned is party or of pre-contractual measures taken at the request of the latter;
5 ° The realization of the legitimate interest pursued by the controller or the recipient, subject to not disregarding the interest or fundamental rights and freedoms of the person concerned.
The processing of geolocation data for targeted marketing is, according to its manager VECTAURY society, based on the consent of those concerned. It is clear from the contracts between the company and the mobile app publishers that the consent of the persons concerned must be obtained. To this end, the company told the delegation that it is offering publishers an information interface aimed at obtaining the consent of mobile users.
Furthermore, it is clear from the information provided by the company to the Commission, in particular on 12 June and 20 August 2018, that the company has joined the Interactive Advertising Bureau (IAB) and has developed, in partnership with this association of market professionals advertising on the internet, a tool designed to standardize the way consent is collected via the SDKs. The documents sent to the Commission on October 26, 2018 present the latest version of this tool developed by VECTAURY, known as the Consent Management Provider (CMP).
These documents show the path followed by the user of an application that has integrated the CMP proposed by the company.
At the launch of the application, the publisher informs the user of the collection of his data by a text as follows:
In order to improve our application and to send you personalized content and / or commercial offers, our partners and ourselves collect your personal data such as your browsing data or your geographical position. It also allows us to provide you with free access to our service and we are committed to delivering ads with non-intrusive formats.
By accepting, you consent to our partners and ourselves collecting and processing your personal data for analysis and advertising purposes.
You can change your privacy settings at any time from the application settings.
A link to the privacy policies of the application is proposed after this text.
The user is then offered the choice between I accept , I refuse and I refine my preferences . If the user chooses the third option and decides to customize the parameters, the principle of data collection is accepted by default for the different purposes identified. He must then uncheck one after another the boxes corresponding to different purposes to be able to oppose the processing of his data. He can, by an additional click, access the list of all data controllers processing his data, including VECTAURY, and can oppose the treatment of his data by controller.
According to Article 2 (h) of Directive 95/46 / EC of 24 October 1995, consent means any expression of free, specific and informed will by the data subject to their personal character are treated.
In this respect, the notion of consent, which is included in the General Data Protection Regulation, is no less demanding since it is intended that it should be given by a clear positive act by which the person concerned expresses in a free, specific, informed and unambiguous way its agreement to the processing of personal data concerning it.
However, it appears from the checks and analysis of the documents sent to the Commission that the mechanism proposed to users who downloaded applications from the partners of the company does not allow users to validly consent to the processing operations carried out by the latter.
First , consent must be informed.
The Article 29 Working Group (G29), in its Opinion 15/2011 of 13 July 2011 on the definition of consent, stated that consent implies that all the necessary information must be given at the time of the request for consent and that this information must cover all substantive aspects of the treatment that consent is supposed to legitimize.
In addition, the G29 indicates that the information must be transmitted in a suitable language allowing the data subject to understand what he or she consents to and what are the purposes of the processing , and that the information provided to the users must be clear and sufficiently visible to that she can not escape them. The information must be directly communicated to the persons concerned. It is not enough that it is simply available somewhere .
In this case, the Delegation noted that at the time of the installation of the […] controlled application, people are not informed about the collection of their geolocation data via the SDK for the purpose of profiling users. and advertising targeting.
However, it is clear from the latest updates communicated to the Commission services that VECTAURY has developed a CMP to be integrated into the applications by the partner publishers, the details of which have been explained previously.
In this regard, it first appears that the presentation text, directly communicated to the user at the first opening of the application and reproduced in extenso above, does not provide the required clarity in that it does not allow persons concerned to understand precisely what they agree to.
The text lacks transparency, in that it may suggest to the user that its refusal to have its data collected and processed will result in either a paid business model or an inability to use the application. It may also be thought that the refusal to collect its data will make advertisements appear more intrusive ( This also allows us to offer you free access to our service and we are committed to displaying non-intrusive ads ).
Secondly, the definitions given to the purposes presented by VECTAURY are written in unclear terms that do not allow the person to understand what he or she consents to.
For example, the personalization purpose highlighted in the CMP is defined as the collection and processing of information relating to your use of this service in order to subsequently send you advertisements and / or personalized content in other contexts. , for example on other sites or applications. In general, the content of the site or application is used to make inferences about your interests, which will be useful in future advertising and / or content selections. This definition is unclear and can not be used to express informed consent. On the one hand, it is imprecise in that it covers a large number of situations. On the other hand, its wording, taking into account the complexity of the terms used, is not adapted to the general public object of the treatments carried out.
Thirdly, people are not validly informed of the identity of the companies by which their data will be processed and which will, in this respect, be responsible for processing.
In a notice 15/2011 of 13 July 2011, the G29 considered that information relating to the identity of the controller must necessarily be communicated to the user. This element is considered by the G29 to be crucial for the user to make a choice. The working group also clarified that if the requested consent will serve as the basis for several (joint) treatment officers or if the data will be transferred to, or processed by, other officials who wish to rely on the original consent, these organizations should all be named .
In this case, information on the identity of those responsible for treatment is not directly accessible to individuals. It requires that the user, when opening the application, make the choice to refine its preferences, and scroll to reach a link called See all partners . A click on this link will send it to a page listing all the partners of the application, including VECTAURY.
This presentation implies that when the first page is displayed, where the click buttons I accept , I refuse and I refine my preferences , the user is not informed of the recipients of his data, and that the any consent that it would give by clicking the button I agreewould not be informed consent.
Therefore, and even assuming that the new version of the CMP will be deployed on all applications in which VECTAURY has installed its SDK, people are not duly informed of the collection of their geolocation data by VECTAURY, via the installation of an SDK, for the purpose of targeted advertising.
Second , the consent must be specific.
In a notice 15/2011 of 13 July 2011, the G29 recalled that to be valid, the consent must be specific. In other words, a general consent, without specifying the exact purpose of the treatment, is not acceptable. To be specific, consent must be intelligible. It must state clearly and precisely the extent and consequences of data processing … Consent must be given on the clearly defined aspects of treatment. […] It can not be regarded as covering all the legitimate aims pursued by the controller.
The delegation noted during the on-the-spot check that people are required to validate the authorization to collect their geolocation data only for the use of the downloaded mobile application.
As an example, when it comes to the mobile application […], when it is installed on Android, the person is asked to agree to the following Authorize application [ …] to access the position of the device . Regarding the application installed on IOS, the following window is displayed during the installation: Allow access […] to your location data (even when you are not using the app) to inform you about events around your home).
The latest version of the CMP presented by the VECTAURY company in its October 26, 2018 submission of patents refines the procedures for obtaining consent but does not modify the lack of specificity of the consent obtained.
It is indeed proposed to the user, after a brief presentation taken previously, to click on two buttons I accept or I refuse .
These two buttons initially presented to the user do not allow him to specifically consent to the processing of his personal data for the purpose of displaying targeted advertising, or for the development of a commercial profile to marketing focus.
If an ease of use can be proposed by a button of global acceptance or rejection, this functionality can not be presented to it before the different purposes of the treatment are exposed to it, otherwise the user would give a global consent treatment that he does not know and for which specific consent has not been requested. By its very presentation, the global management of consent (acceptance or refusal) must indicate the existence of several treatments or several purposes.
A global acceptance, without even the user being clearly informed of the existence of several treatments or of several purposes, can not meet the criterion of specificity of the consent required by the G29.
Users of mobile partner applications therefore do not specifically consent to the processing of their geolocation data for profiling and advertising targeting purposes.
Finally , the consent must be expressed by a positive action of the user.
The G29, in its opinion 15/2011 of 13 July 2011 referred to above, stated that consent based on the inaction or silence of the data subject, especially in the online environment, does not constitute valid consent. This question arises, in particular, in the case of the use of default parameters that the person concerned is required to modify to refuse treatment.
Thus, when opening the application […], the following window informing people is displayed: When you install or use the […] mobile application, you may need to provide us with some of your data. […], within the framework of the General Regulations on Data Protection, would like to inform you in a very transparent way about the treatments that are to be carried out on the data that we collect […]. You can click Accept to continue to benefit globally from the services offered by […] or click customize to manage your preferences on the use of the application. In this case an explanation will be given to you about the different uses that we make of the collected data. In terms of current legislation, you must be 15 years old to be able to accept or customize your preferences. If you are not 15,
People must scroll through the entire text to bring up the Customize clickable link and click on it to access the data privacy pages. Thus, after clicking on the tab Advertising , a new window opens, informing them that we [the application] use targeting features offered by our partners, which allow you to send targeted advertising, tailored to your needs. centers of interest, geo-adapted and personalized commercial offers depending on where you are and your profile. Your data collected for these purposes is transmitted to our partners.Finally, people can click the Personalization tab to disable the default permission to collect data from their data for targeted advertising purposes.
While this newly developed system improves user information, it can not meet the requirements of the concept of consent.
The fact that all collection purposes are pre-accepted by default can not result in the expression of consent on the part of the user. Indeed, its action is required only to oppose the treatment by unchecking the boxes corresponding to different purposes.
The same is true in the latest version of the CMP presented by the company VECTAURY in the documents communicated on October 26th.
In this new interface, the user who decides to refine his preferences is informed of the five purposes presented by the publisher of the application (preservation and access to information, personalization, selection, dissemination and advertisement reporting, selection, dissemination and content reporting and evaluation).
All of these purposes are pre-accepted by default.
It follows from all the foregoing that the consent of the individuals is not validly collected, and that the data hitherto held and processed by the company VECTAURY are without legal basis.
- Regarding data from bid requests received by VECTAURY
The delegation was informed that the company VECTAURY is the recipient of personal data, including geolocation data and advertising identifiers of computers, by means of bidding in which it decides, or not, to follow up.
This data is collected, initially, in applications without contractual link with VECTAURY, either by a code directly integrated by the editor in the application, or by the SDK of another company. These data are transmitted during the auction process to various intermediaries before reaching the companies or […] and then sent to VECTAURY by the latter.
The company retains and subsequently processes this personal data whether or not it has bid on the auction in question, and whether or not it has won the said auction.
As a first step, this data is processed in order to analyze, by an automatic and almost instantaneous computer process, the opportunity to respond to the proposed bid.
After the bid has been accepted or rejected by VECTAURY, and after this bid has been won or lost, the data is retained and processed again to analyze the physical conversion of mobile advertising campaigns, target campaigns prospecting and improve the profiles of the data subjects already present in the company’s databases.
The two purposes for which the data are transmitted to VECTAURY are therefore the auctioning process on the one hand, and the definition of a commercial profile of the individuals on the other hand.
However, the collection and processing operations of such personal data is permitted only if they meet the requirements of Article 7 of Law o 78-17 of 6 January 1978, which provides that:
Processing of personal data must have the consent of the data subject or one of the following conditions:
1 ° Compliance with a legal obligation incumbent on the controller;
2 ° safeguarding the life of the person concerned;
3 ° The execution of a public service mission of which the controller or the addressee of the treatment is invested;
4 ° The execution of either a contract to which the person concerned is party or of pre-contractual measures taken at the request of the latter;
5 ° The realization of the legitimate interest pursued by the controller or the recipient, subject to not disregarding the interest or fundamental rights and freedoms of the person concerned.
The company VECTAURY puts forward the consent given by users to implement the processing of personal data, including geolocation, contained in the offers of real-time auction.
As indicated above, it appears from the documents communicated on June 12, 2018 by the company VECTAURY that it has registered with the IAB, an association of professionals in the internet advertising market.
As part of its lobbying activity, the association has drawn up a list of purposes specific to advertising activity on the internet [4] . These purposes are as follows:
- storage and access to information;
- customization;
- the selection of advertisements, diffusion, report;
- content selection, dissemination, report;
The retention and processing of geolocation data from real-time auction bids for profiling purposes appears to be covered by the second purpose of the IAB list, which is defined as the collection and processing of information. the use of the service by the user to further personalize the advertisement and / or the content for him in other contexts, such as on other websites or applications, over a long period of time. Generally, the content of the site or application is used to make inferences about the interests of the user that inform the future choice of advertising and / or content .
The processing of these data for the immediate response to an auction bid appears to correspond to the third purpose defined by the IAB, defined as the collection of information, and their combination with information previously collected, to select and disseminate advertisements for the user and to measure the diffusion and effectiveness of these advertisements. This includes the use of previously collected information about the user’s interests to select ads, the treatment of ad data that has been broadcast, their frequency, when and where it was served, and the user has taken actions related to the ad, such as clicking on an ad or making a purchase. This does not include Customization .
In order to guarantee the specific and informed nature of the consent collected for the benefit of the partners, it is up to the company whose bid originates and who collects the data to make available to mobile users information on the recipients of these data. This information must take the form of a communication directly to the collection of data possibly through a hypertext link to this list.
However, real-time auctions are communicated by the applications concerned to several series of intermediaries before being taken care of and processed by the companies concerned (such as VECTAURY) without the persons whose data are processed. informed, and without giving their consent to such treatment.
Indeed, the analysis of the parts resulting from the control realized within the premises of the company VECTAURY shows in particular that this one has received and preserved the data resulting from 144 offers of auction in real time resulting from the application […] . The checks carried out on the application on this occasion […] show that mobile users are not validly informed and have not validly consented to the collection and processing of their personal data for advertising purposes.
The company has recently indicated, in the documents communicated to the Commission on October 26, 2018, that in amendments to the contracts signed by […] (August 10, 2018) and […], it is stipulated that the SSPs are in the obligation on the one hand, to obtain the consent of users for the purposes of the treatments performed by VECTAURY and, on the other hand, to provide the chain of consent to VECTAURY for each user by purpose .
On this point, in accordance with the provisions of Article 7 of the GDPR, where the treatment is based on consent, the controller can demonstrate that the data subject has consented to the processing of personal data. concerning it .
The obligation imposed by Article 7 can not be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. VECTAURY must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.
It is clear that the company VECTAURY is currently unable to demonstrate that the data collected through real-time bidding offers are currently systematically the subject of an informed consent, free, specific and actively manifested.
For this reason, the lack of informed consent deprives the VECTAURY’s processing of real-time bids from the legal basis of consent .
The aforementioned facts thus constitute a breach of the provisions of Article 7 of the Law of 6 January 1978 as amended.
Consequently, the company VECTAURY, located at 33, rue la Fayette in Paris (75009) is formal notice within a period of three (3) months from the notification of this decision and subject to measures that it would already have could adopt, from :
- not to proceed without a legal basis to the processing of geolocation data of persons for advertising targeting purposes, in particular to collect, in an effective manner, the prior consent, under conditions consistent with the provisions of Articles 6 and 7 of the GDPR, of users of applications published by VECTAURY partners, such as the users of the applications from which real-time bidding offers, the processing of their data by the latter;
- purge the data obtained without informed, specific and actively manifested consent;
- justify to the CNIL that all the aforementioned requests have been respected, and within the time limit.
At the end of this period, if the company VECTAURY has complied with this formal notice, it will be considered that the present procedure is closed and a mail will be sent to him to this effect.
Conversely, if the company VECTAURY has not complied with this formal notice, a rapporteur will be appointed who can ask the restricted formation to pronounce one of the sanctions provided for by Article 45 of the law of the January 6, 1978 amended.
The president
Isabelle FALQUE-PIERROTIN
[1] A person who browses the Internet from a mobile device.
[2] Software Development Kit.
[3] Hashage with the SHA256 algorithm and addition of a salt.
[4] A “purpose” is a use of data that leads to a specific business model and produces specific results for users and businesses. The purposes must be detailed at the collection point, either individually or in combination. Free Translation, IAB Europe Transparency & Consent Framework Policies, appendix A.
Date of publication on legifrance: November 9, 2018