GDPR Violation Warning Issued to Two French Location Data Companies

French data regulator CNIL has issued a warning to two French data companies, Fidzup and Teemo, for adhering to the European Union’s General Data Protection Regulation.

The companies in question operate as location intelligence vendors. They are chiefly involved in working online-to-offline advertising and measurement, utilizing SDKs that help them collect accurate location data from partner applications. Fidzup and Teemo pay application publishers for providing them with location data.

The public notices issued by CNIL detailed the actions of each company, describing how consumer consent was obtained for use of location by the app partners but not for transfer of that data to third parties. They added that consent to the use of location by an app is not the same as consent for data collection for advertising and marketing campaigns by third parties.

The CNIL ruled that the consent Fidzup and Teemo were depending on was not in compliance with the three main tests of consent under GDPR. Firstly the consent was not freely given. This was due to the consent being bundled and users were not giving the chance to opt-in to one type of data processing but opt-out of targeted advertising. Secondly, the consent given was not specific as users were also not given the option to consent (or not) to the specific collection and use of geo-location data for targeted advertising reasons.

Finally, the consent given was not informed. In other words, the app users were not asked for their consent prior to downloading the app and therefore were not informed that their data would be used for targeting advertising. The geolocation data began being processed as soon as the app was installed and therefore data subjects were not given an adequate amount of information on downloading the app to advise them of this practice.

The CNIL has directed Fidzup and Teemo to become GDPR compliant within 90 days. If they do so then they may face no penalty however, failure to comply with GDPR norms will lead to sanctions that could range as high as 4% of annual global revenue or €20 million whichever figure is higher.