Blog: French case clarifies ‘consent’ under GDPR
Val Surgenor and Rebecca Henderson discuss a French case that will likely serve as guidance on the interpretation of “consent” under GDPR.
Location data is a tool useful for marketers to reach mobile app users with targeted, specific advertising. For example, you are scrolling through your favourite social media site while walking down Oxford Street and an advert pops up about a sale in Topshop – perfect!
Location-based marketing is on the increase however the technology has received scrutiny in France, and this week, the French Data Protection Authority - Commission Nationale de l’Informatique et des Libertés (“CNIL”) issued formal warnings to two companies relating to the GDPR standard of consent where they used geo-location data for the purposes of targeted advertising via mobile app but didn’t comply with consent under GDPR.
Just over two months after GDPR came into force, this latest action shows that national data protection authorities are keen to assert the GDPR standards on national companies. This case gives some guidance on how other regulators may interpret “consent” in this context.
What is the GDPR standard of consent?
Under the GDPR, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The key elements are that it must be freely given, specific and informed. Unlike the previous Data Protection Directive, the GDPR also added the requirement for consent to be unambiguous and given by a statement or a clear affirmative action.
This signalled the end of the opt-out or pre-ticked consent box which relied on inactive or passive consent.
Generally, consent must also:
- be separate from other terms and conditions
- be capable of being withdrawn at any time by the individual with the same level of ease as how they gave their consent
- give the data subject a genuine choice as to which data is processed and how this is processed.
What happened?
In this instance, the CNIL found that two companies (Fidzup and Teemo) were offering a tool which allowed customers to collect and process geo-location data for the purposes of providing targeted advertising to mobile app users.
The CNIL found that the consent Fidzup and Teemo were relying upon (which was obtained via the customer) didn’t meet the three main tests of consent under GDPR:
- Freely given – the consent used was bundled i.e. users could not opt-in to one type of data processing but opt-out of targeted advertising. Therefore the consent was held by the CNIL not to have been freely given due to this bundled consent that was sought for all types of data processing.
- Specific – the users were also not given the option to consent (or not) to the specific collection and use of geo-location data for targeted advertising purposes.
- Informed – the app users were not asked for their consent before downloading the app and therefore were not informed that their data would be used for targeting advertising. The geolocation data began being processed as soon as the app was downloaded and therefore data subjects were not given sufficient information on installing the app to inform them of this practice. The Privacy Policy which was used to eventually get consent from the data subject was also found to be lacking as it did not mention targeted advertising or who the data controller was (i.e. Fidzup or Teemo).
Lessons to be learned
Under GDPR, the standard of consent required has been raised and businesses need to be aware of how the new changes to consent will impact upon data collection and processing.
The key pillar of the GDPR is transparency and accountability which in turn gives data subjects enhanced rights and control over what businesses are doing with their data.
From these warnings issued, it is clear that national data protection authorities are taking the enforcement of the GDPR seriously and ensuring that companies are aware of their obligations to data subjects.
In short – if a data subject wouldn’t expect you to do something, then you shouldn’t unless you have told them in advance. If they can’t understand that from your privacy notice – it isn’t working!
Val Surgenor is a partner and Rebecca Henderson is a trainee at MacRoberts