They are usually invisible, but ubiquitous: most mobile applications contain trackers. These small cookies collect information about the phone, the use made of the application … Generally for advertising purposes. At the end of 2017, the Exodus Privacy Association, which analyzes the content of consumer applications to include cookies in the list, published an initial list showing that applications on average have more than two. The analysis of how it works SDK showed that their legality can be challenged.
This is confirmed by the Committee Nationale Informatique et Libertés (CNIL) in its latest decisions. On Friday, November 9, Constable of personal data has released its message to a French publisher of these trackers, Vectaury, who accuses him of exploiting data from smartphone users without clear agreement on their part.
This company is the fourth of its kind to be attacked by the CNIL since the entry into force of the new European Data Protection Regulation (GDPR) on 25 May. The CNIL has already picked the companies Fidzup and Teemo in July and the company Singlespot in October. Teemo has already arranged his situation. Vectaury has three months to comply with the collection of permissions, otherwise it risks a sanction from the CNIL.
"42 million advertising ID & # 39; s"
Vectaury integrates pieces of code – "SDK & # 39; s", in computer jargon – distributed in mobile applications by its partner companies. With these SDKs it can, even when the applications are not working, collect the advertising ID of smartphones and geolocation data, retrieved via trackers implemented in applications, for example those of Météo France. They thus make it possible to link online and offline activities by offering targeted travel-based advertisements and displaying them on the screen of smartphones.
"It is our job to collect GPS data on smartphones and then process them in our database, to find out how many people have come to the point of sale after seeing an advertisement", explained to world Matthieu Daguenet, the CEO of Vectaury, in November 2017.
The CNIL, in his statement, conveyed the words of Vectaury, which "Indicates to process this data with the consent of the persons involved". "However, the CNIL audits showed that the consent was not validly collected"she added. The CNIL also accuses Vectaury of exploiting, without valid consent, data collected by internet users during real-time offers for ad auctions. So Vectaury has collected "More than 42 million advertising ID & # 39; s and geolocation data of more than 32,000 applications", said the CNIL.
Three months to meet
In order to escape the sanction, Vectaury must draw up valid consent requests within three months, but also "Delete unnecessarily collected data"said the public institution.
"We welcome the demands of the CNIL with serious but fearless (…) We will respond in the coming days to requests for action from the CNIL and thereby complete our compliance process" said Matthieu Daguenet, CEO of Vectaury, in a statement from the advertising-oriented company that was published shortly after the sanction.
Vectaury is a symbol for start-ups that thrive on the commercial exploitation of data from internet users. The company was founded in October 2014 and employs approximately 70 people, but expects to quickly double its workforce, following a fundraising of 20 million euros in early October. Vectaury claims "Working with more than 100 brands and agencies, with the capacity to reach more than 25 million qualified profiles in France".