The IAB Europe’s GDPR Transparency and Consent Framework – which many ad tech companies now depend on to pass user consent strings – could be on shaky legal ground.

On Nov. 9, France’s data protection authority, the Commission nationale de l'informatique et des libertés (the CNIL), issued a warning against a small French ad tech company called Vectaury that collects and processes geolocation data through a software development kit for programmatic advertising. [Read an English translation of the CNIL’s full notice here.]

At first glance, the warning seems vanilla enough. The CNIL calls out Vectaury because the consent management platform it created using the IAB’s framework to collect consent from its publisher and SSP partners doesn’t give users the opportunity to provide consent that is informed, specific and fully opt-in.

The company now has three months to purge any data that was collected without consent, to stop processing location data without a legal basis to do so and to prove to the CNIL that all of its practices are on the up and up.

“What comes out of this decision is that the CNIL does not appear opposed to consent as a legal basis for the processing data for digital advertising and targeting,” said Townsend Feehan, CEO of IAB Europe. “It’s just a question of whether the conditions for consent are met in the execution.”

But a closer examination of the language in the CNIL’s warning spells potential trouble, or least another wrinkle, for users of the IAB’s transparency and consent framework as it stands.

Through bid requests, Vectaury was able to collect data on 67.6 million users derived from over 32,000 apps. But when the CNIL audited Vectaury’s server logs, the company couldn’t provide a consent string through its CMP for every single ID.

Downstream partners in a supply chain – DSPs, SSPs and DMPs, for example – aren’t in a great position to collect user consent on their own, so if they want to comply with GDPR, they generally depend on consumer-facing publishers to get consent on their behalf and pass it along within a secure CMP.

That’s fine, if the controller – which is Vectaury, in this case – can prove that users have given consent to have their personal data processed. But this can’t, in the CNIL’s view, “be fulfilled by the mere presence of a contractual clause guaranteeing an initial consent validly collected.”

In other words, the CNIL is implying that controllers can’t just rely on their partners to gather consent for them. If you receive a consent string, it’s also your job to verify it.

“This means that if someone gains consent for you, and you have a contract saying it’s their responsibility to do so, you *still* have the obligation to verify that the consent is valid,” Robin Berjon, executive director of implementation and data governance at The New York Times tweeted on Friday in reaction to the CNIL’s notice.

But there’s nothing wrong with the concept underlying the framework, according to the IAB.

“A story like this just reinforces to me the need for legal compliance, but also the degree to which the framework ticks all of those boxes,” Feehan said. “The conclusion I would draw from the CNIL’s decision is that it’s perfectly comfortable with consent at a legal basis – but you need to be in compliance with the rules.”

The CNIL recently expressed cautious approval of the work that the IAB has been doing with its consent framework. In September, during a panel at DMEXCO in Cologne, Armand Heslot, a privacy and security expert at the CNIL, said that although the framework is “of course not perfect, it’s going in the right direction.”

“Overall, that is a good approach, and that’s what we would like to see from the industry,” Heslot said, giving succor to an audience of ad tech folks.

But even with a perfect consent system, there are problems, said Johnny Ryan, chief policy and industry relations officer at open-source web browser Brave, who called the IAB’s framework “quicksand upon quicksand.”

“[Vectaury] is clearly just the tip of the iceberg,” Ryan said. “Billions of bid requests are broadcast each day, with no control over what ad tech companies do with the data.”

In September, Brave filed a complaint in the United Kingdom and Ireland arguing that real-time bidding and the systematic sharing of bid request data by Google and other ad tech companies constitutes a data breach under GDPR.

It’s worth pointing out that Google still hasn’t adopted the IAB framework, which many believe reflects that Google doesn’t consider it to be GDPR compliant. To get in line with GDPR, Google released its own CMP, called Funding Choices.

But if the CNIL is questioning the notion of how consent strings function, Google could find itself in the same, possibly leaky boat as the rest of the ad tech industry.

The warning against Vectaury is the fourth issued by the CNIL since August. In September, the CNIL cautioned two French geolocation data companies, Teemo and Fidzup, for processing data without consent. Teemo was cleared early last month , with no word yet on Fidzup’s progress. In late October, another French startup that collects geolocation data for advertising purposes, SingleSpot, was called out by the CNIL for not gathering informed consent.

[Updated 11/20/18 with a correction to the number of users in Vectaury's database.]