More DPAs Issuing GDPR Fines and Warnings
We are closely following news from data protection authorities (DPAs) about their GDPR enforcement actions and investigations. There have been a few recently that we wanted to bring you up to speed on here on the Clarip Privacy Blog:
CNIL Warns Adtech Startup Vectaury Over Consent
The French DPA CNIL put French digital advertising startup Vectaury on notice that it was in breach of the General Data Protection Regulation (GDPR) at the end of October and would face sanctions if it did not correct its practices within three months. The decision made news for its impact on digital advertising and adtech.
Vectaury is an adtech company that matches geolocation data collected via mobile apps distributed by third parties to its profile information to target users with ads by advertisers.
For a period of time after GDPR went into effect according to the decision, users of the apps were not informed about the usage of geolocation data by Vectaury and were not asked to provide their consent.
The CNIL decision also covered a period of time when the company attempted to implement a consent management platform (CMP) to collect consent. However, CNIL did not accept this process because of the difficult layered navigation, the default consent settings, and a lack of transparency making any choice not informed.
CNIL also objected to the acquisition of consent in this manner because Vectaury could not independently verify user consent. An article in Techcrunch questioned the validity of consent that is passed through contractual agreements among digital advertising companies after the decision.
The decision did not impose a fine. Vectaury was given three months to correct its GDPR compliance.
The CEO of IAB Europe described this “first shot across the bows” as “a constructive attempt to nudge the industry in a direction that will contribute to its sustainability.”
German Regional DPA Fines Social Media Platform Over Data Breach
A regional DPA in Germany has fined German Social media platform Knuddels.de 20,000 Euros in November because it stored passwords in plain text. The investigation into one of the country’s largest chat platforms followed a data breach exposing the personal information of 330,00 users. The DPA said that storing the passwords in clear text violated its duty to ensure data security under GDPR Article 31(1)(a).
The low level of the fine took into consideration the cooperation by the platform, their high level of transparency, a range of enhanced security measures implemented since the incident, and the overall financial burden on the company. GDPR authorizes maximum fines of up to 20 million euros or 4 percent of the company’s global annual revenue.
Other Blog Posts on GDPR Enforcment:
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.