Privacy & Information Security Law Blog

On July 19, 2018, the French Data Protection Authority (“CNIL”) announced that it served a formal notice to two advertising startups headquartered in France, FIDZUP and TEEMO. Both companies collect personal data from mobile phones via software development kit (“SDK”) tools integrated into the code of their partners’ mobile apps—even when the apps are not in use—and process the data to conduct marketing campaigns on mobile phones.

The SDK technology enables TEEMO to collect mobile advertising IDs and geolocation data of users every five minutes. This information is then correlated with the users’ interests determined by TEEMO’s retail partners and used to send targeted ads on the users’ mobile phones. The SDK technology installed by FIDZUP in partners’ mobile apps collects MAC addresses and advertising IDs of mobile phones. In parallel, FIDZUP has installed in its partners’ sale points FIDZBOX devices which collect data relating to MAC addresses and WiFi signal strength of users’ mobile phones. The data is then processed by the company to send targeted, geolocated ads on users’ mobile phones whenever users walk by a sale point of FIDZUP’s partners.

A Breach of the Obligation to Obtain User’s Consent

Despite their claims, the CNIL found that the two companies do not obtain users’ consent in accordance with French data protection law and the EU General Data Protection Regulation (“GDPR”). The inspections carried out by the CNIL on several mobile apps revealed that:

• Concerning TEEMO, users are not informed when downloading mobile apps that an SDK that will collect their data is integrated into the apps.
• Concerning FIDZUP, users are not informed about the advertising targeting purposes of the processing or the data controller’s identity when installing the app. In addition, the information provided in the terms of use of the mobile apps or displayed on posters in stores is provided to users after the collection and processing of their data, whereas obtaining valid consent requires providing that information beforehand.

The CNIL also found that it was not possible to download the apps without the SDK technology.

Finally, the CNIL noted that, when users’ consent is sought for the processing of their geolocation data when installing the app, that consent is limited to the use of the data by the app. Consent is not sought for the collection of the data for marketing purposes via the SDK tools.

The CNIL therefore concluded that the data processed by TEEMO and FIDZUP for targeted marketing purposes is in fact processed without the users’ knowledge and consent in breach of French law and the GDPR.

A Breach of the Obligation to Define an Adequate Retention Period

The CNIL also found that TEEMO retains geolocation data for 13 months. In the CNIL’s view, this retention period is disproportionate in relation to the purpose of the processing. The CNIL stressed that use of geolocation devices are especially intrusive as they constantly track users in real time.

The CNIL’s Requests

The CNIL ordered TEEMO and FIDZUP to obtain users’ valid consent within three months (e.g., via a pop-up containing specific information and a tick-box to signify consent). The CNIL also ordered TEEMO to define a retention period for geolocation data that is proportionate to the purpose of the processing. Failure to do so within the prescribed time limit may result in sanctions, including a fine.