Earlier in November, CNIL, the French data authority, put French ad tech company Vectaury on notice for violating consent-gathering rules under Europe’s General Data Protection Regulation (GDPR). The ad tech company collects geolocation data through behind-the-scenes methods using the likes of software development kits (SDKs) and real-time ad bidding (RTB) for mobile ad targeting purposes. Vectaury specializes in mobile advertising aimed at driving people to retail locations.
An investigation occurred back in April by the CNIL (la Commission nationale de l’informatique et des libertés) brought to light that Vectaury obtained personal data without the proper consent. It created its own consent management platform (CMP). According to the CNIL, Vectaury’s consent tool does not comply with GDPR because:
- The language was unclear, complex and not easily accessible
- The consent was not specific to the processing of geolocation data for targeted marketing
- The user’s choice wasn’t based on an affirmative action, or opt-in
The CNIL has given Vectaury three months to come into compliance. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.