Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details): https://t.co/PHkDcOT1hy
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha

I've read it so you needn't!
Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.
The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.
Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.
Other factor: the technicity and opacity of ad bidding systems is used to justify greater transparency requirements. People cannot expect to consent to what they don't understand (or even know exist), therefore the adtech ecosystem is de facto under *stronger* requirements.
The decision also notes that the @CNIL is openly using this to inform not just the company in question but whole ecosystem, including adtech of course but also app makers who embed ads and marketers who use them. You're all on notice!
Note that there is no fine: if Vectaury remediates by 1) no longer processing geographic data without consent, 2) retroactively wiping the data they have (since consent was invalid), and 3) prove they've done that then they're good to go. Out of business, too, I would guess.
Fun fact: the @CNIL takes privacy seriously, and two years from now the Vectaury decision they have just made will be anonymised so that just the pure legal content remains.
Let's jump into the heart of it. The decision looked at two distinct but related aspects:

1) Consent obtained directly in apps that embed Vectaury as an SDK, using Vectaury's CMP (Consent Management Platform). You can see it in action in this video: https://t.co/LGOjNOD18d
2) Consent collected elsewhere and signalled to Vectaury through use of the @IABEurope Consent Framework.

Both are found to be failing — the second one in very interesting ways. Keep reading!
The CMP fails exactly as you would expect:

1) The consent is not informed;
2) The consent is not specific;
3) The consent is not affirmative.

Given the high-risk nature of the processing and its opacity, this isn't even a very strict interpretation.
Here is the bombshell though: Consent through the @IABEurope framework is inherently invalid. Not because of a technical detail. Not because of an implementation aspect that could be fixed. No.
You cannot pass consent to another controller through a contractual relationship. BOOM
Precisely: a controller has the obligation to demonstrate, for the entirety of the data they are processing under consent, the validity of the consent obtained. Otherwise you're just failing Article 7.

This is huge.
This means that if someone gains consent for you, and you have a contract saying it's their responsibility to do so, you *still* have the obligation to verify that the consent is valid.
This rules the @IABEurope out as an option, but more than that: @Google forced publishers to collect consent on its behalf for advertising profiling. They have said that they will audit that publishers do it right — but will auditing be enough?
The decision very specifically states the need to verify consent for the "entirety" of the data. By definition an auditing approach only does spot checking.

Also, Google has said they won't use a clear definition of valid consent. This shows they will have to.
So, yeah — that happened. It will be interesting to see how this lines up with @johnnyryan and @RaviNa1k's complaint about programmatic in terms of enforcement decision.
The one part that slightly disappoints me is that the decision does not call into question the role of Android and iOS in providing the ad ID and geolocation in the first place, as joint controllers, without proper consent.

That might be a fight for another day 😊🤗

More from Tech

Thought I'd put a thread together of some resources & people I consider really valuable & insightful for anyone considering or just starting out on their @SorareHQ journey. It's by no means comprehensive, this community is super helpful so no offence to anyone I've missed off...

1) Get yourself on the official Sorare Discord group
https://t.co/1CWeyglJhu, the forum is always full of interesting debate. Got a question? Put it on the relevant thread & it's usually answered in minutes. This is also a great place to engage directly with the @SorareHQ team.

2) Bury your head in @HGLeitch's @SorareData & get to grips with all the collated information you have to hand FOR FREE! IMO it's vital for price-checking, scouting & S05 team building plus they are hosts to the forward thinking SO11 and SorareData Cups 🏆

3) Get on YouTube 📺, subscribe to @Qu_Tang_Clan's channel https://t.co/1ZxMsQR1kq & engross yourself in hours of Sorare tutorials & videos. There's a good crowd that log in to the live Gameweek shows where you get to see Quinny scratching his head/ beard over team selection.

4) Make sure to follow & give a listen to the @Sorare_Podcast on the streaming service of your choice 🔊, weekly shows are always insightful with great guests. Worth listening to the old episodes too as there's loads of information you'll take from them.

You May Also Like

🌺कैसे बने गरुड़ भगवान विष्णु के वाहन और क्यों दो भागों में फटी होती है नागों की जिह्वा🌺

महर्षि कश्यप की तेरह पत्नियां थीं।लेकिन विनता व कद्रु नामक अपनी दो पत्नियों से उन्हे विशेष लगाव था।एक दिन महर्षि आनन्दभाव में बैठे थे कि तभी वे दोनों उनके समीप आकर उनके पैर दबाने लगी।


प्रसन्न होकर महर्षि कश्यप बोले,"मुझे तुम दोनों से विशेष लगाव है, इसलिए यदि तुम्हारी कोई विशेष इच्छा हो तो मुझे बताओ। मैं उसे अवश्य पूरा करूंगा ।"

कद्रू बोली,"स्वामी! मेरी इच्छा है कि मैं हज़ार पुत्रों की मां बनूंगी।"
विनता बोली,"स्वामी! मुझे केवल एक पुत्र की मां बनना है जो इतना बलवान हो की कद्रू के हज़ार पुत्रों पर भारी पड़े।"
महर्षि बोले,"शीघ्र ही मैं यज्ञ करूंगा और यज्ञ के उपरांत तुम दोनो की इच्छाएं अवश्य पूर्ण होंगी"।


महर्षि ने यज्ञ किया,विनता व कद्रू को आशीर्वाद देकर तपस्या करने चले गए। कुछ काल पश्चात कद्रू ने हज़ार अंडों से काले सर्पों को जन्म दिया व विनता ने एक अंडे से तेजस्वी बालक को जन्म दिया जिसका नाम गरूड़ रखा।जैसे जैसे समय बीता गरुड़ बलवान होता गया और कद्रू के पुत्रों पर भारी पड़ने लगा


परिणामस्वरूप दिन प्रतिदिन कद्रू व विनता के सम्बंधों में कटुता बढ़ती गयी।एकदिन जब दोनो भ्रमण कर रहीं थी तब कद्रू ने दूर खड़े सफेद घोड़े को देख कर कहा,"बता सकती हो विनता!दूर खड़ा वो घोड़ा किस रंग का है?"
विनता बोली,"सफेद रंग का"।
तो कद्रू बोली,"शर्त लगाती हो? इसकी पूँछ तो काली है"।
These 10 threads will teach you more than reading 100 books

Five billionaires share their top lessons on startups, life and entrepreneurship (1/10)


10 competitive advantages that will trump talent (2/10)


Some harsh truths you probably don’t want to hear (3/10)


10 significant lies you’re told about the world (4/10)