• Whatever else location-based mobile ad platform Teemo accomplishes in its corporate lifetime, it is a survivor of one of marketing’s biggest challenges.

    A GDPR crackdown.

    The company was one of the first ad tech firms to be challenged publicly under the European Union’s General Data Protection Regulation (GDPR).

    Not enough consent

    Based in Paris and New York City, Teemo was first contacted in October 2017, by French privacy regulator Commission Nationale de L’informatique et des Libertés (CNIL), which wanted to better understand what the company did. In June 2018, CNIL decided Teemo was in non-compliance of GDPR, which had gone into effect a month prior. On July 19, that decision was published. 

    The company was being targeted on behalf of the ecosystem, CEO and Founder Benoit Grouchko told RampUp, because it was a “leader in the space.” He noted that his firm had more than a hundred customers across Europe, including half of the grocers in France.

    Mobile apps add Teemo’s Software Development Kit (SDK) in order to collect location data, which is then provided to Teemo for processing, profiling, and ad targeting. Prior to the GDPR citation, Grouchko said, data was collected through the apps and end users were given a choice between “OK” and “I want more info.”

    But that wasn’t enough for CNIL.

    Its June decision noted that Teemo had only asked its mobile app publishing partners to include a banner informing users of the collection of data, providing a simple acceptance option. According to CNIL (in Google’s translation), the banner said:

    In the application we collect data relating to your experience, your navigation, and your geo-location. This data allows us to optimize your user experience, analyze our traffic, and offer you more relevant content. Some information is shared with our partners. By continuing your navigation in the application, you agree to the collection of this data. The company specifies that this banner would also be associated with a check box (or an I accept) that would close the window of the banner.”

    Obtaining consent at the right time

    This practice had several GDPR-related problems, CNIL said.

    It was displayed after the mobile app was installed, which contained Teemo’s data-collecting and data-reporting SDK. This meant, the regulators said, that the mobile device’s advertising ID and location data was already in the process of collecting and communicating when the check box first appeared. The app collected the consent, for both the app and the app’s use of the Teemo SDK.

    More importantly, CNIL pointed out, “people are not informed about the collection of their geo-location data via the SDK for the purpose of profiling users and targeting advertising.”

    For instance, the agency said, the consent screen said that user agreement for the capture and use of location data was needed to “take full advantage of the application and offer you content that is as close to your expectations as possible.”

    But, it noted, users of mobile partner applications therefore do not specifically consent to the processing of their geo-location data for profiling and advertising targeting purposes,” so the consent was not “validly collected” under GDPR.

    Finally, CNIL said, the collected data was retained for 13 months—much longer than needed for ad targeting—and Teemo did not provide for adequate security of the data when it was stored in Google’s cloud.

    A collaborative process 

    The Teemo team had “a lot of back and forth” consisting of emails, phone calls, and in-person meetings with the GDPR officials, Grouchko said. He added that the regulators were very professional and courteous and the exchanges became a “company-wide project.”

    The regulators did not tell Teemo specifically how to respond, but the two sides worked together to figure it out and, he added, their requirements were “totally fair.” The GDPR regulations themselves make clear that they do not prescribe what solutions should be, but rather what those solutions should accomplish. In CNIL’s formal notice on July 19, 2018, the company was given three months to comply with the final CNIL decision, and no fine was levied. A formal announcement in October 2018 closed the matter.

    The resulting changes were “pretty structural to our platform,” Grouchko noted, including how consent is gathered, how the data flow works, and how long data is kept. The new process has “shaped the whole industry of location data,” he said. 

    Here’s a screenshot of the new English-version consent screen from Teemo:

    A template for compliance  

    Teemo’s experience with CNIL provides a template for how marketers can adapt to the emerging requirements for GDPR and, potentially, other privacy regulations.

    Perhaps the biggest lesson is that a cooperative attitude to solving the problem is the best approach. Given the complexity of online interactions and user data management, there cannot be one solution for all situations.

    But, as the Teemo episode shows, there are several key principles. User consent must be clear and specific, it must apply only to the specific circumstance (such as one mobile app), the collected data cannot be kept longer than needed, and data security precautions must be taken in management and storage.

    Remaining unknowns

    One area that is still iffy is the obligation of each party in a data chain. CNIL indicated that Teemo, whose platform is not seen directly by the end user, has a responsibility to ensure that its mobile app publishing partners make the consent available as required. But Teemo’s only real way of enforcing that is to refuse to do business unless its terms are met, which is not the best negotiating stance in most competitive situations.

    While Teemo can manage the data under its control and provide a consent screen, Grouchko told RampUp that it’s up to the app to present the screen and obtain consent. Apps often use a consent management platform to handle that function.

    There’s also the question of which users require GDPR standards. While GDPR is supposed to apply to EU citizens wherever they are, various companies are applying that concept in different ways. 

    A big reason for that approach: if the user’s IP address is in the EU, it’s safe to assume the user is an EU citizen. But there also are EU citizens in, say, Florida.

    As in Teemo’s case, it appears CNIL is mostly interested in getting companies to make a good faith effort, at least for EU territories.

    In general, Grouchko said, Teemo applies the same standard to “everything in our control,” such as data management, regardless of whether the end user is an identified EU citizen or not. But there is a special obligation, he said, when the app publisher knows the user is in the EU. 

    “Overall, it’s been very tough in the short term, to be called out by the regulator,” he said. “It’s not the best press.” But the company has said it is now seeing opt-in rates as high as 80%.

    With a redesigned user consent and data management system that can address the still-emerging privacy regulations in Europe, the U.S., and elsewhere, Grouchko noted, “we’re in a much stronger position.” 

    Subscribe to RampUp