CNIL Vectaury Notice in Context for Digital Media

The CNIL Vectaury notice from last month represents the most important public enforcement activity for marketers so far in the post GDPR period and the privacy and adtech communities are abuzz. Google translate version in English Unfortunately, much of the public conversation so far has been focused on whether consent is possible, and whether the IAB EU or Google are set up to achieve consent in a legally viable manner.

Speculation is fun, but we shouldn’t get ahead of ourselves. The CNIL notice is far more useful for the tactical guidance it provides for companies striving in good faith to comply with GDPR and do right by their users. For companies dragging their feet, the notice also makes it clear that industry tomfoolery around consent will no longer be tolerated.

CNIL, the French Data Protection Authority, has come down with more specific guidance on what they expect to see from marketers gathering consent, and they have put the industry on notice that expectations are HIGH post GDPR. It now seems clear that regulators (beginning with the CNIL) will not be shy about pushing the industry to change practices, even if those changes have a negative impact on them and the digital media ecosystem writ large. The law and the regulator’s view of the consumer interest will come first.

The most important takeaways:

• Companies can no longer rely on contractual assurances with partners alone to establish their legal basis for processing data. This notice is the clearest and most formal guidance yet demanding demonstrable user level consent in addition to contractual assurances between companies. In practice, this means that consent (or the establishment of legitimate interest) is no longer the remit of the legal team alone. We now need to involve the product team to verify and log the legal basis in the DB at a user level.
• For anyone still in denial, mobile IDs (IDFA, AD-ID) and location information are clearly personal data and subject to GDPR.
• CNIL references Article 29 Working Group guidance throughout the notice to establish and validate their standards. The Article 29 WG was the formal collective body for EU regulators (pre-GDPR), and they issued guidance that was not legally binding and generally more conservative than many individual DPA offices. The use of Article 29 WG standards signals a more conservative approach to evaluating the digital media ecosystem, and as a first strike from a DPA, will likely influence how other DPAs consider the industry.
• If you hold all of your client data in a single DB, expect the regulator to presume that you are a controller. The processor/controller debate is more complex than this of course, but individual signals like storage architecture can be influential.
• Consent standards are going to be exacting and many companies will need to make changes. More on this tomorrow.
• 3rd party consent through current mobile OS providers is impossible. This could change, but so long as these notices don’t mention 3rd parties or their processing purposes, consent will be invalid. Mobile SDK providers take note and begin to develop your own verifiable consent experience.

The IAB EU consent framework and Google also make appearances in the notice, and some have argued that the notice is a staggering blow to one or both. I don’t see it.

To be sure, the notice points to weaknesses in current implementations that will need to be addressed. If we have seen the best that both have to offer 6 months into GDPR than I would agree they have fallen very short of the mark and could be considered “toast”.

Of course, that’s silly. I read the notice as laying a more specific set of guardrails around consent practices, some of which cut across the market as it stands and will force difficult decisions. Smart and agile companies (and frameworks) will be able to adapt.

For companies criticizing those working hard on consent interfaces and protocols for their deficiencies, please understand where digital media is headed, should the consent assemblers fail. If we cannot achieve consent as an industry, we cannot set cookies or collect mobile IDs. We need consent under the ePrivacy Directive regardless of our legal basis for processing under GDPR. Under GDPR, if consent is eliminated, we are left solely with a legitimate interest, and this is also vulnerable over the medium term.

If we have neither consent nor a legitimate interest, virtually every 3rd party technology behind the modern internet has no legal basis for interacting with consumers in Europe.

If you are involved in the digital media space, please join the fray and cheer your peers on. If you are already in the fray, be smart and iterate fast, for all of us.

Finally — keep tuned for more DPA activity. We’re expecting Q1 to be busier than Q4.

Tomorrow: Gathering consent post CNIL Vectaury notice

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.