CNIL statement on Adtech

Last Friday, the CNIL (French DPA) issued a short statement about their approach to GDPR and ePrivacy enforcement with the adtech market. The statement was released on the heels of the ICO adtech report, and can be seen as part of a cross-DPA focus on the adtech market.

The key points:

• In the view of the CNIL, marketing activities have been the basis for a substantial portion of the complaints they are receiving. They site complaints issued by Privacy La Quadrature du Net, Privacy International, and NOYB. In addition, In 2018, 21% of the complaints were related to marketing in the broad sense.
• As a result, The CNIL has therefore decided to make targeted online advertising a priority topic for 2019.
• The requirements of the ePrivacy Directive, including consent for all non-essential cookies, now include the GDPR requirements for consent. Implied consent is not compatible with this standard. They explicitly exclude scrolling down, swiping or browsing through a website or application as a valid expression of consent.
• The ePrivacy Regulation is not imminent and the CNIL will not wait for it.
• The CNIL is working on a pan-EU harmonized approach for consent standards. This usually means defaulting to pre-existing work from other regulators and guidance from the European Data Protection Board. In practice, this also means tilting towards the more conservative standards these organizations have put on record.
• New guidelines on cookie consent to be released by the CNIL later this month, with a 12-month ‘grace period’ for enforcement.
• Further guidance on operational aspects of collecting consent, to be issued later this year after consultation with various stakeholders.

The CNIL statement does not address many of the substantive issues that the ICO adtech report delves into, including the viability of legitimate interest, reliance on contract, treatment of special category data, etc. But on the broad topics of enforcement prioritization (target = adtech) and consent standards (implied consent = dead), several of the most important DPAs for the digital media market are going on record and they are aligned.

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.