Since the introduction of the GDPR in May 2018, the Information Commissioner (ICO) has yet to take action in relation to any complaints under the new rules, with most of its recent enforcement decisions relating to matters which occurred before the GDPR came into force.
However, the regulatory authority in France – the Commission Nationale de l’Informatique et des Libertes (CNIL) has recently taken action against two companies under the GDPR in relation to improper consent for use of geo-location data. Their approach is interesting to note, as guidelines intend that a consistent approach to enforcement is adopted across Europe. It also provides an insight into the level of consent required under the GDPR.
The CNIL decision relates to two companies (“Teemo” and “Fidzup”) which used geo-location data to provide targeted advertising to customers. Essentially, these companies offer a tool which enables their customers to collect geo-location data from their customers or mobile app users, which allows them to provide targeted advertising based on certain identified points (such as their stores, competitor stores or places of interest). This processing was based on consent obtained by the app operator to process the customers’ personal data.
The CNIL concluded that the consent relied on did not meet the requirements under the GDPR. The GDPR requires that consent is freely given, specific, informed and unambiguous. The consent relied on by Fidzup and Teemo was considered not to be so for the following reasons:
The CNIL also found that Teemo was retaining the data collected for a period of 13 months, which was considered to be excessive.
The CNIL issued both companies with formal notices requiring them to take steps to be compliant with the GDPR in three months. If they fail to comply, the CNIL may impose a penalty.
This approach by the CNIL indicates a degree of leniency given they have allowed time for the companies to become compliant, with no further action being taken if they achieve this. However, it also indicates the willingness of authorities to take action to hold companies to account.
This is also a helpful indication of the type of considerations being looked at when considering consent and whether it meets the standard required by the GDPR. The findings of the CNIL show that, if relying on consent as the lawful basis for processing data, specific consent for different uses of data may be necessary, and that bundling consent to the extent that a person cannot use the service without consenting to all types of data processing (even if not completely necessary to provide the service) may be a practice which cannot continue under GDPR.
Miller Samuel Hill Brown can assist with further advice on the GDPR and how it might affect your business, and in providing contracts and policies which might be required. Please get in touch on 01412211919 to discuss how we can help you.