They are mostly invisible, but omnipresent: most mobile applications include trackers. These small cookies collect information on the phone, the use that is made of the application … In general for advertising purposes. At the end of 2017, the Exodus Privacy association, which analyzes the content of consumer applications to list cookies, published a first list showing that applications have an average of over two. The analysis of the operation of these SDK has shown that their legality could be questioned.
This is confirmed by the Commission Nationale Informatique et Libertés (CNIL) in its latest decisions. On Friday November 9th, the personal data agent released the communication to a French publisher of these trackers, Vectaury, scolding him to exploit data from smartphone users without a clear agreement from them.
This company is the fourth of its kind targeted by CNIL since the entry into force of the new European Data Protection Regulation (GDPR) on 25 May. The CNIL has already blocked the Fidzup and Teemo companies in July, and the Singlespot company in October. Teemo has already regularized his situation. Vectaury has three months to comply with the consensus collection, otherwise it risks a sanction by the CNIL.
"42 million advertising ID"
Vectaury integrates pieces of code – "SDK", in computer jargon – in mobile applications distributed by partner companies. These SDKs allow to collect, even when the applications do not work, the advertising ID of smartphones and geolocation data, retrieved through trackers implemented in applications, for example in Météo France. In this way it is possible to connect online and offline activities by offering targeted advertisements based on travel and then displaying them on the smartphone screen.
"Our task is to collect GPS data on smartphones and then process them in our database, to find out how many people have arrived at the point of sale after seeing an advertisement", explained a world Matthieu Daguenet, CEO of Vectaury, in November 2017.
The CNIL, in its statement, transmitted the words of Vectaury, who "Indicates to process these data with the consent of the interested persons". "However, the CNIL audits have found that the consent has not been validly collected"he added. The CNIL also accuses Vectaury of exploiting, without valid consent, the data collected by Internet users during offers of advertising auctions in real time. Vectaury has therefore collected "Over 42 million advertising IDs and geolocation data from over 32,000 applications", said the CNIL.
Three months to comply
To avoid the penalty, Vectaury must submit valid consent requests within three months, but also "Delete unduly collected data"he said the public institution.
"We welcome the requests of the CNIL with seriousness but without apprehension (…) We will respond in the next days to the requests for intervention by the CNIL and then complete our compliance process" said Matthieu Daguenet, CEO of Vectaury, in a statement by the advertising targeting company published shortly after the fine.
Vectaury is the emblem of start-ups that thrive on the commercial exploitation of Internet user data. Founded in October 2014, it employs around 70 people but expects to double its workforce rapidly, after a fund-raising of 20 million euros at the beginning of October. Vectaury claims to "Collaborate with over 100 brands and agencies, with the ability to reach over 25 million qualified profiles in France".