Two French Location Data Companies Warned Over GDPR Violation

GDPR Exemptions That Provide Leeway to EU Member State Laws

French data regulator CNIL has warned two French data firms, Fidzup and Teemo, to adhere to the EU’s General Data Protection Regulation (GDPR).

The two firms work as location intelligence vendors. They’re primarily engaged in advertising working online-to-offline, employing SDKs which help them gather the exact location information from partner apps. Fidzup and Teemo are paying application publishers for giving them location information.

CNIL’s public advisory specified what each company must do to get consumer consent to allow application partners to use location information. However, the consent does not include the transfer of that information to third parties. Consent allowing an app usage of location data is not the same as the consent allowing third parties to collect information for the purpose of marketing and advertising.

The CNIL determined that Fidzup and Teemo were using consent in ways that are not compliant with the three key tests of consent according to GDPR.

First, consent wasn’t freely provided. This was because the obtained consent was bundled together which means users did not get the opportunity to opt-in to one form of data processing and opt-out of another, such as usage for targeted marketing.

Second, the consent obtained wasn’t specific. Users were not given the opportunity to allow (or refuse) data collection. Instead, geo-location information was used to target users for advertising purposes.

Lastly, the user wasn’t informed about their consent. Put simply, the app users were not specifically asked to give their consent before downloading the application and so were not well informed that their information would be utilized for targeted advertising.

The geolocation information was immediately processed the moment the application was installed. Data subjects were not sufficiently informed about this practice.

The CNIL instructed Fidzup and Teemo to achieve GDPR compliance within 90 days. If they comply, they will not be penalized. If they don’t, they will face sanctions and penalties, which may be as high as 4% of yearly global turnover or €20 million, whichever amount is greater.