New CNIL case of GDPR enforcement

Two medium-sized French companies have received warning notices from the CNIL (French data protection authority). Both companies affected – Teemo and Fidzup – collect geolocation data for targeted advertising. 

According to CNIL, the reason for the warning is gathering and processing data without informed consent. Fidzup is admonished for not being clear enough about what data was being collected and Teemo was collecting data only after users downloaded the app. Moreover storing geolocation data for 13 months in Teemo’s case was considered too long for the reason of targeted advertising, according to CNIL.

Interesting to know is that the CNIL examined Teemo in the autumn of last year (2017), but made the case public first in July 2018 to create an industry showcase under GDPR. The CNIL has not imposed any fines (!) – well aware, as some of the points are based on interpretations, but has set a clear deadline for implementing the requirements.

ePrivacy summarizes the viewpoint of CNIL on digital business models:

  • the CNIL sees the responsibility on the processor’s side (in this case: the SDK provider has to make sure that the controller has the valid consent) especially if data is also collected in a parallel model for own purposes (usually as a controller)
  • the CNIL considers high transparency and clear consents to geolocation data in general as critical
  • the CNIL considers longer data storage periods to be critical for certain business models

From ePrivacy’s point of view, this position is disputable.