French regulator’s decision against an adtech company confirms that IAB “Transparency & Consent Framework” does not obtain valid consent. The case also illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from the online advertising “real time bidding system” (RTB).

Where the unlawful data came from: RTB

La Commission nationale de l’informatique et des libertés (CNIL) discovered the personal data of 67.6 million people when it conducted an on-site inspection of a small[1] adtech firm called Vectaury, in April 2018.[2] The online advertising “real time bidding system” (RTB) system made these data available to this firm, as it does to countless others.

Every time a person visits a website or interacts with an app that uses the RTB system, intimate personal data about them is broadcast to tens or hundreds of companies. Advertising technology companies called “supply side platforms” (SSPs) and “ad exchanges” broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the person on the site or app.

Vectaury is a “demand side platform” (DSP),[3] and receives these bids from SSPs[4] acting on behalf of 32,708 mobile apps.[5] The data it collects includes people’s locations, and the advertising IDs of their mobile devices.[6] In addition, the company collected a further 5 million people’s data via an SDK embedded in the apps of its business partners.[7]

The company’s website claims that it deletes 70% of all data it receives,[8] which raises the question of whether it actually received not 67.6 million, but a quarter of a billion people’s personal data from the RTB system.

On its own, the unlawful transmission of 67.6 million or 227 million people’s personal data is a major data breach. However, as our complaint to Irish and UK data protection regulators shows, the problem is far larger than one adtech company. It is industry-wide.

CNIL concludes that the IAB approach to consent is unlawful

CNIL noted that the industry should use this case as an example,[9] and concluded

“It is clear that Vectaury is unable to demonstrate that the data currently collected through real time bid requests are subject to informed, free, specific, and unambiguous consent.”[10]

Its decision highlights several problems with the IAB framework.

Problems for all implementations of the IAB framework

1. The “purpose specification” principle.

In late 2017 the Article 29 Working Party cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”.[11] Consent requests for multiple purposes should “allow users to give specific consent for specific purposes”.[12] European regulators had explicitly warned against conflating purposes months before IAB Europe debuted the design of its approach to consent (“transparency and consent framework”):

“If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. This granularity is closely related to the need of consent to be specific …. When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.”[13]

This is in keeping with Article 5 (1) b and Recital 32 of the GDPR.[14]

The test is “If a purpose is sufficiently specific and clear, individuals will know what to expect: the way data are processed will be predictable.”[15] The objective is to prevent “unanticipated use of personal data by the controller or by third parties and in loss of data subject control [of these personal data]”.[16]

In short, a purpose must be specific, transparent and predictable.[17] It must be describable to the extent that the processing undertaken for it would not surprise the person who gave consent for it. Consent requests must be granular, showing opt-ins for each distinct purpose.

Therefore, it was highly likely that the CNIL would conclude that the text[18] that the IAB uses to describe personalization “can not be used to express informed consent”.[19] It is “imprecise”.[20] This is presumably because it conflates many separate processing purposes under a single catch-all purpose. CNIL also noted that the text “is written in unclear terms that do not allow the person to understand what he or she consents to.”[21]

2. Information about recipients of data

IAB Europe’s design, which the adtech company in question had faithfully reproduced, bundles together a host of separate data processing purposes under a single opt-in. As a result, CNIL found that “the user is not informed of the recipients of his data” on the initial screen where one can click accept”.[22] Therefore “the possible consent he would give by clicking on the button I accept would not be informed consent.”[23]

Instead, the design requires that to see who will receive their data, a person must first click “choose to refine their preferences, and then scroll down to reach a link entitled ‘See all partners’.”[24]

This is worth reiterating. CNIL has ordered that clicking on the button ‘I accept’ on the IAB consent dialogue “would not be informed consent”[25]

Elsewhere in its decision CNIL says the list of recipients must be communicated directly to the data subject, and must not go through several intermediaries first.[26] “This information must take the form of a communication directly to the collection of data possibly through a hypertext link to this list”.[27]

3. Proof of validity of passed consent

The company had obliged the SSPs that send the data are obliged by contract (note – there are no contracts with Vectaury’s RTB partners, only its SDK partners) to get consent from people for what it would do with their data. However, CNIL noted that Article 7 (1) of the GDPR requires the recipient of the data to be able to demonstrate that it has, as CNIL put it, “the chain of consent to Vectaury for each user by purpose”.

“The obligation imposed by Article 7 can not be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected. Vectaury must be able to demonstrate, for all the data it processes today, the validity of the expressed consent.”[28] It would be very challenging, and perhaps impossible, for a company in its position to prove this validity.

Problems for some implementations of the IAB framework

1. Misleading or vague text

The company used very general descriptive text on the first consent screen.

“In order to improve our application and to send you personalized content and / or commercial offers, our partners and ourselves collect your personal data such as your browsing data or your geographical position. It also allows us to provide you with free access to our service and we are committed to delivering ads with non-intrusive formats. By accepting, you consent to our partners and ourselves collecting and processing your personal data for analysis and advertising purposes.”[29]

Vectaury’s language here is little different from what appears on most consent screens. CNIL, unsurprisingly, found that this text “does not allow the persons concerned to understand precisely what they consent to.”[30] It also observed that the text “lacks transparency, in that it may suggest to the user that its refusal to have its data collected and processed will result in either a paid business model or an inability to use the application. One may also be led to believe that the refusal to collect their data will make advertisements more intrusive”.[31]

2. Pre-ticking

Once a user goes to the trouble of displaying the various purposes presented in the IAB framework, the CNIL reported that this particular adtech company had decided to pre-tick each option by default. But, as recital 32 of the GDPR observes, “pre-ticked boxes or inactivity should not … constitute consent.”[32] This is a feature of many consent dialogues today, though one that can be easily remedied.

Conclusion

This is the latest in a series of decisions published by CNIL against adtech companies. Previous decisions on adtech companies Fidzup[33] and Teemo[34] and Singlespot[35] are linked in the footnotes. What marks this decision apart are the broad implications for RTB, and for the IAB consent framework.

Vectaury has been ordered to delete all the data, and to stop processing without proper consent.[36] The first demand may put it out of business, though the second may make it impossible to continue business in any case.

The SSPs[37] that wrote the IAB consent framework, and the national IAB branches, have convinced many publishers and developers to adopt it. This has been a mistake. As I argued over a year ago, the problems in the IAB’s approach were clearly apparent in the text of the Regulation, and the body guidance provided by European regulators dating back to the 1995 Directive. [38]

This decision should be a wake up call for the industry, a milestone in its reform.

Notes:

[1] Although it raised €20M in investment after the conclusion of the 12 month period of data gathering that CNIL reported on. See “Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY”, CNIL, published 9 November 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2); and “Vectaury boucle un tour de table de 20 millions d’euros”, Vectaury, 3 October 2018 (URL: https://www.vectaury.io/fr/blog/tour-de-table-de-20-millions-euros).

[2] ibid.

[3] It is also a DMP and trading desk. “Nos technologies proprietaires mobiles”, Vectaury (URL: https://www.vectaury.io/fr/technology).

[4] “Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY”, CNIL, published 9 November 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2).

[5] “Délibération du bureau de la Commission nationale de l’informatique et des libertés n° 2018-343 du 8 novembre 2018 décidant de rendre publique la mise en demeure n°MED-2018-042 du 30 octobre 2018 prise à l’encontre de la société VECTAURY”, CNIL, published on 9 november 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594601&fastReqId=974682228&fastPos=1).

[6] “Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY”, CNIL, published 9 November 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2).

[7] ibid.

[8] “LA PRIVACY EST DANS L’ADN DE VECTAURY”, Vectaury website, (URL: https://www.vectaury.io/fr/privacy).

[9] “Délibération du bureau de la Commission nationale de l’informatique et des libertés n° 2018-343 du 8 novembre 2018 décidant de rendre publique la mise en demeure n°MED-2018-042 du 30 octobre 2018 prise à l’encontre de la société VECTAURY”, CNIL, published on 9 november 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594601&fastReqId=974682228&fastPos=1).

[10] “Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY”, CNIL, published 9 November 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2).

[11] “Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 11.

[12] ibid., p. 13.

[13] ibid., p. 11.

[14] Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 5 (1) b; see also Recital 32. “…Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. …”

[15] “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013, p. 13.

[16] “Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 12.

[17] “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013, p. 13.

[18] “The collection and processing of information about user of a site to subsequently personalize advertising for them in other contexts, i.e. on other sites or apps, over time. Typically, the content of the site or app is used to make inferences about user interests, which inform future selections.” Consent string and vendor list format: transparency & consent framework, IAB Europe, April 2018 (https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/Consent%20string%20and%20vendor%20list%20formats%20v1.1%20Final.md#what-are-the-purposes-and-features-being-supported-); and see French translation of purpose definitions at https://vendorlist.consensu.org/purposes-fr.json.

[19] “Décision n° MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY”, CNIL, published 9 November 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2).

[20] ibid.

[21] ibid.

[22] ibid.

[23] ibid.

[24] ibid.

[25] ibid.

[26] ibid.

[27] ibid.

[28] ibid.

[29] See video at “CMP Vectaury consent management platform”, Vectaury (URL: https://www.vectaury.io/fr/cmp). Text also copied in CNIL decision.

[30] ibid.

[31] ibid.

[32] GDPR, Recital 32.

[33] “Décision n° MED 2018-023 du 25 juin 2018 mettant en demeure la société FIDZUP”, CNIL, published 19 July 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000037217124).

[34] “Décision n° MED 2018-022 du 25 juin 2018 mettant en demeure la société TEEMO”, CNIL, published 19 July 2018 (URL: https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000037217051).

[35] “Décision n° MED 2018-043 du 8 octobre 2018 mettant en demeure la société SINGLESPO”, CNIL, published 23 October 2018 (URL:https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037512263&fastReqId=1978338545&fastPos=2).

[36] ibid.

[37] AppNexus Inc.; Conversant, LLC; DMG Media Limited; Index Exchange, Inc.; MediaMath, Inc.; Oath, Inc.; Quantcast Corp.; and, Sizmek, Inc. are named in the copyright notice of “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe, p. 3.

[38] Johnny Ryan, “GDPR consent design: how granular must adtech opt-ins be?”, PageFair, 8 January 2018 (URL: https://pagefair.com/blog/2018/granular-gdpr-consent/); Johnny Ryan, “Risks in IAB Europe’s proposed consent mechanism”, PageFair, 20 March 2018 (URL: https://blockthrough.com//).