Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details):
• Their high-level legal decision:
• The full notification:

I've read it so you needn't!
Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.
The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.
Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.
Other factor: the technicity and opacity of ad bidding systems is used to justify greater transparency requirements. People cannot expect to consent to what they don't understand (or even know exist), therefore the adtech ecosystem is de facto under *stronger* requirements.
The decision also notes that the @CNIL is openly using this to inform not just the company in question but whole ecosystem, including adtech of course but also app makers who embed ads and marketers who use them. You're all on notice!
Note that there is no fine: if Vectaury remediates by 1) no longer processing geographic data without consent, 2) retroactively wiping the data they have (since consent was invalid), and 3) prove they've done that then they're good to go. Out of business, too, I would guess.
Fun fact: the @CNIL takes privacy seriously, and two years from now the Vectaury decision they have just made will be anonymised so that just the pure legal content remains.
Let's jump into the heart of it. The decision looked at two distinct but related aspects:

1) Consent obtained directly in apps that embed Vectaury as an SDK, using Vectaury's CMP (Consent Management Platform). You can see it in action in this video:
2) Consent collected elsewhere and signalled to Vectaury through use of the @IABEurope Consent Framework.

Both are found to be failing — the second one in very interesting ways. Keep reading!
The CMP fails exactly as you would expect:

1) The consent is not informed;
2) The consent is not specific;
3) The consent is not affirmative.

Given the high-risk nature of the processing and its opacity, this isn't even a very strict interpretation.
Here is the bombshell though: Consent through the @IABEurope framework is inherently invalid. Not because of a technical detail. Not because of an implementation aspect that could be fixed. No.
You cannot pass consent to another controller through a contractual relationship. BOOM
Precisely: a controller has the obligation to demonstrate, for the entirety of the data they are processing under consent, the validity of the consent obtained. Otherwise you're just failing Article 7.

This is huge.
This means that if someone gains consent for you, and you have a contract saying it's their responsibility to do so, you *still* have the obligation to verify that the consent is valid.
This rules the @IABEurope out as an option, but more than that: @Google forced publishers to collect consent on its behalf for advertising profiling. They have said that they will audit that publishers do it right — but will auditing be enough?
The decision very specifically states the need to verify consent for the "entirety" of the data. By definition an auditing approach only does spot checking.

Also, Google has said they won't use a clear definition of valid consent. This shows they will have to.
So, yeah — that happened. It will be interesting to see how this lines up with @johnnyryan and @RaviNa1k's complaint about programmatic in terms of enforcement decision.
The one part that slightly disappoints me is that the decision does not call into question the role of Android and iOS in providing the ad ID and geolocation in the first place, as joint controllers, without proper consent.

That might be a fight for another day 😊🤗

More from Tech

A common misunderstanding about Agile and “Big Design Up Front”:

There’s nothing in the Agile Manifesto or Principles that states you should never have any idea what you’re trying to build.

You’re allowed to think about a desired outcome from the beginning.

It’s not Big Design Up Front if you do in-depth research to understand the user’s problem.

It’s not BDUF if you spend detailed time learning who needs this thing and why they need it.

It’s not BDUF if you help every team member know what success looks like.

Agile is about reducing risk.

It’s not Agile if you increase risk by starting your sprints with complete ignorance.

It’s not Agile if you don’t research.

Don’t make the mistake of shutting down critical understanding by labeling it Bg Design Up Front.

It would be a mistake to assume this research should only be done by designers and researchers.

Product management and developers also need to be out with the team, conducting the research.

Shared Understanding is the key objective

Big Design Up Front is a thing to avoid.

Defining all the functionality before coding is BDUF.

Drawing every screen and every pixel is BDUF.

Promising functionality (or delivery dates) to customers before development starts is BDUF.

These things shouldn’t happen in Agile.

You May Also Like

There are some amazing founders and indie hackers that have made 🤯-worthy progress this last year.

The stuff you can do in a year is seriously astounding 👇

👉 @TransistorFM reaching $22k MRR in one year:

I was one of their first customers and the progress @mijustin and @jonbuda have made working mostly part-time has been crazy.

Now both are full-time. Follow them on @buildyoursaas

👉 @talk2oneup reaching $10k MRR in one year:

@daviswbaer joined as a co-founder and through many different marketing tactics, pricing changes, and product updates, they've managed to carve out a niche market in a really competitive industry.

👉 @hostifi_net $9k MRR in one year:

After getting fired from his full-time job, @_rchase_ embarked on a year focused on building products to replace his salary in a year.

The dude seriously SHIPS and even took investment from @earnestcapital


With a strong product, continuous improvement, and SEO, @unindie has really been inspirational.

There are no excuses.
About a month ago, I said to Jeffrey Toobin that it was Mike Flynn—not Paul Manafort—who had the *most* to offer Robert Mueller on the collusion question, underscoring that Flynn's December 2017 plea deal gave Mueller far more than we ever realized. Now here we are, 10 months on.

2/ Trump had two opportunities to formally name Flynn and his co-conspirator Erik Prince to his NatSec team during the 2016 campaign—he declined to do so *both times*. In the criminal justice system this is evidence of consciousness of guilt. Trump knew what these men were doing.

3/ That Trump sought out Flynn—not the other way around—in August '15, and began using him as his chief NatSec adviser right away, but never put him on his National Security Advisory Committee is critical evidence that Flynn was working on projects that had to be "off the books."