CNIL Warnings Providing Insight into GDPR Consent Management
Forced consent has been one of the biggest consumer complaints to data protection authorities (DPAs) since the European Union’s General Data Protection Regulation (GDPR), which went into effect at the end of May. Although there have yet to be decisions from a DPA about whether Google or Facebook are handling consent properly, CNIL has issued several warnings to smaller advertising or marketing technology companies that they suspect are using personal data in violation of GDPR.
As a result of these warnings, it is becoming clear that many efforts at obtaining consent for data processing may be insufficient to satisfy GDPR compliance obligations despite the effort companies have put into improving their privacy practices in 2018. This may be among the reasons that a recent GDPR survey covered by Tech Republic found that only 29% of EU organizations have fully implemented the European privacy law.
If companies have not properly interpreted the consent requirements of GDPR, it would provide another explanation for why an IAPP survey of privacy technology revealed that consent software was not being adopted at the same rate as other software options, such as data mapping and inventory automation.
Consent is one of the six lawful basis for processing under the GDPR. In order to obtain an individual’s consent according to Article 4, a company must obtain “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In August, French DPA CNIL warned two companies that they were obtaining location data in violation of the GDPR. The companies work with retailers and brands advertising and measurement, obtaining user location data through a series of partner apps. The app publishers are paid for their location data by the companies.
CNIL found that the app publishers were obtaining consent for the use of the geolocation data by the app but not to transfer it to third parties like the companies that were warned. In other words, the user needed to give consent to data collection for advertising and marketing by the third parties.
According to a Techcrunch article this week, one of the two companies has satisfied CNIL and the formal warning and investigation has been closed.
Among the changes that needed to be made were:
– Users needed to be clearly informed before the data was collected.
– Users needed to be given a choice of whether to provide each data collected and for each purpose. This choice needed to include a full version of the app that did not collect the location data if they declined to provide it, unless the data was necessary to deliver the app for its intended use. CNIL was reportedly clear that businesses can not require users to provide geolocation data for ad targeting for usage of the app.
These two requirements should not come as a surprise to privacy professionals that have read the UK ICO guidance on consent. In response to CNIL, it took the organization about five months to work with the regulator in order to achieve GDPR compliance and have the warning dropped.
Clarip will be closely following these warnings and decisions for any needed modifications to our consent management software. If your organization would like a demo of the Clarip enterprise privacy software, call 1-888-252-5653.
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.