Profile picture
Robin Berjon @robinberjon
, 19 tweets, 6 min read Read on Twitter
Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇
It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details): cnil.fr/fr/application…
• Their high-level legal decision: legifrance.gouv.fr/affichCnil.do?…
• The full notification: legifrance.gouv.fr/affichCnil.do?…

I've read it so you needn't!
Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.
The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.
Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.
Other factor: the technicity and opacity of ad bidding systems is used to justify greater transparency requirements. People cannot expect to consent to what they don't understand (or even know exist), therefore the adtech ecosystem is de facto under *stronger* requirements.
The decision also notes that the @CNIL is openly using this to inform not just the company in question but whole ecosystem, including adtech of course but also app makers who embed ads and marketers who use them. You're all on notice!
Note that there is no fine: if Vectaury remediates by 1) no longer processing geographic data without consent, 2) retroactively wiping the data they have (since consent was invalid), and 3) prove they've done that then they're good to go. Out of business, too, I would guess.
Fun fact: the @CNIL takes privacy seriously, and two years from now the Vectaury decision they have just made will be anonymised so that just the pure legal content remains.
Let's jump into the heart of it. The decision looked at two distinct but related aspects:

1) Consent obtained directly in apps that embed Vectaury as an SDK, using Vectaury's CMP (Consent Management Platform). You can see it in action in this video:
2) Consent collected elsewhere and signalled to Vectaury through use of the @IABEurope Consent Framework.

Both are found to be failing — the second one in very interesting ways. Keep reading!
The CMP fails exactly as you would expect:

1) The consent is not informed;
2) The consent is not specific;
3) The consent is not affirmative.

Given the high-risk nature of the processing and its opacity, this isn't even a very strict interpretation.
Here is the bombshell though: Consent through the @IABEurope framework is inherently invalid. Not because of a technical detail. Not because of an implementation aspect that could be fixed. No.
You cannot pass consent to another controller through a contractual relationship. BOOM
Precisely: a controller has the obligation to demonstrate, for the entirety of the data they are processing under consent, the validity of the consent obtained. Otherwise you're just failing Article 7.

This is huge.
This means that if someone gains consent for you, and you have a contract saying it's their responsibility to do so, you *still* have the obligation to verify that the consent is valid.
This rules the @IABEurope out as an option, but more than that: @Google forced publishers to collect consent on its behalf for advertising profiling. They have said that they will audit that publishers do it right — but will auditing be enough?
The decision very specifically states the need to verify consent for the "entirety" of the data. By definition an auditing approach only does spot checking.

Also, Google has said they won't use a clear definition of valid consent. This shows they will have to.
So, yeah — that happened. It will be interesting to see how this lines up with @johnnyryan and @RaviNa1k's complaint about programmatic in terms of enforcement decision.
The one part that slightly disappoints me is that the decision does not call into question the role of Android and iOS in providing the ad ID and geolocation in the first place, as joint controllers, without proper consent.

That might be a fight for another day 😊🤗
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robin Berjon
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @robinberjon see all

Profile picture
The @IABEurope has written up an article to try to distance their consent framework from the recent @CNIL decision finding issues with Vectaury's application of consent. I didn't expect much, but I was disappointed anyway. Read it at iabeurope.eu/policy/the-cni…, some notes follow. 👇
But first: you MUST consent.
Much of the IAB's argument is that Vectaury did not follow the framework's policies. This is disputable, but even if true it's an issue in itself: their framework has no real verification and no enforcement. It's yet another trust-everyone festival.
Read 12 tweets
Profile picture
This is a good question: what is the root cause of the lack of privacy online today? Why does media track so much? My personal take is that it boils down to browsers and mobile platforms. Not only is that the master fix, but it is within reach. Follow the thread❗👇
First, I have some assumptions that I want to ensure you know:
1) Without a free and well-funded press before long we'd have no privacy at all. This does NOT justify an exception regime for media, but it constrains the solution. Getting rid of media is not the right option.
2) I do not buy into strict deontologism. It's not enough to make a rule, we need to make it work. If you force people into a choice between the law and survival, don't be surprised that they at least bend the rules. If you incentivise defection, expect defectors.
Read 20 tweets

Related threads

Profile picture
Your work history is distinct, more than most passwords. Your resume identifies you (who else had your last 2 to 4 jobs?) even without your name/photo. @LinkedIn as a social network relies on the collective trust of its users to honor the contexts of career and work.
#GDPR makes @LinkedIn accountable for how the company sticks to promised uses of your data, but GDPR doesn't cover how other members of the network use or abuse your information. Social norms (and peer payback like @LeenaVanD offers) can raise the stakes. But abuse happens.
Most data protection laws deal with the relationship between you and companies. The next round of laws will start to cover data in motion (chat, calls, data in transit). But they also should start to consider person-to-person use/abuse of your data. #gdpr #privacy @IdentityWoman
Read 9 tweets
Profile picture
0/ Coming in HOT today with a thread devoted to a bunch of #crypto- and #blockchain-related events that took place over the past 24 hours or so. Here we go!
1/ ⛽️ I wasn't joking about that 'hot' thing, for @GetGitcoin have introduced Gas Price Heatmaps (gitcoin.co/gas/heatmap).

Assess the price vs. speed tradeoff vis-à-vis @ethereum gas. Super useful!

Built by @FrederikBolding. It's a visual representation of @ETHGasStation data.
2/ 🆕 Asia's top full-suite digital asset trading firm, @QCPCapital, became the first #OTC trading desk to set up a 'Space' on @AirSwap [ $AST ].

Launched last month, Spaces enable unique environments geared to support connections among groups that trade.
Read 33 tweets
Profile picture
The French data protection authority has issued the first formal guidance on the relationship between #blockchain and the #GDPR in the #EU.

I'll tweet some of the main points. Here is the full text: cnil.fr/sites/default/…
1. The @CNIL makes clear that its goal issuing this publication is to provide concrete guidance to actors in the space. This is to be applauded. Many in this space try to build compliant systems but are having a hard time figuring out what this entails.
2. *Data controllers*: unsurprising: where users directly engage with the ledger they can sometimes be controllers.

This, however, is only so where natural or legal persons exercise a professional or commercial activity (broad interpretation of household activity).
Read 19 tweets
Profile picture
I recently learned via @DavidDuvenaud's interview on @TlkngMchns that the de facto bar for admission into machine learning grad school at @UofT is a paper at a top conference like NIPS or ICML. The acceptance rates for these conferences in 2018 were 25.1% and 20.8%, respectively.
This is a consequence of the huge number of students trying to enter the field. Profs will rationally pick and choose the candidates who they believe will be the most productive and require the least amount of training.
But in effect, this means that you need to already have the skills you would normally develop in grad school, just to get into grad school.
Read 8 tweets
Profile picture
President Donald J. Trump Is Working to Protect Our Nation’s Elections from Foreign Interference

@drawandstrike @ThomasWictor @HNIJohnMiller @catesduane @rising_serpent @_ImperatorRex_ @Debradelai @GodlessNZ @almostjingo @TheChillum

whitehouse.gov/briefings-stat…
We’re going to take strong action to secure our election systems and the process.

President Donald J. Trump
PROTECTING OUR ELECTIONS: President Donald J. Trump is issuing an Executive Order that will work to respond to and deter foreign attempts to interfere in our elections.
Read 19 tweets
Profile picture
001/ [article content in this tweet series 001-180 reproduced with permission from Martin Howe QC of Lawyers for Britain @lawyers4britain]
#quote "Leaving the EU on WTO terms: pulling down the barriers to world trade
Introduction: why prices will FALL after Brexit, not rise" /002
002/ #quote "Over the past couple of weeks, the media have been full of lurid scare stories about what will happen if the UK leaves the EU on WTO terms, because negotiations with the EU do not result in a withdrawal agreement." /003
#tariffs #NoDeal #Brexit #WTO #ProjectFear #shortages #food #medicines
003/ #quote "One of the most ridiculous and UNJUSTIFIED of these absurd scare stories is that it will lead to higher prices, and even shortages, of foods and medicines." /004
Read 180 tweets

Trending hashtags

#medicines #ECJ #FSA #Tezos #ThePatriotTimes #report #example #world #privacy #Italian #repealedThe8th #consumers #NLF #Jolani #territories #Morek #USVIA #Gotcha #specialty #tariffs #Syria #poultry #GDPR #gdpr #anomaly

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!