On 19 July last year, the President of the French Data Protection Authority – CNIL – issued Fidzup, which specialises in generating in-store traffic, with a formal notice for failure to adhere to the General Data Protection Regulation (GDPR). Following several months’ work, the start-up launched a consent management platform that was perfectly in line with the Commission’s requirements. The sanction was lifted and Fidzup became a pioneer. Here we meet Olivier Magnan-Saurin, co-founder of the start-up.
It all began in September 2017…
The CNIL actually performed an audit of Fidzup in the autumn of 2017 and informed us that the consent we were obtaining with regards to the gathering of data was not “explicit and informed”. This triggered a series of exchanges of information and documents, before Fidzup was given an official formal notice on 19 July, around two months after the GDPR came into force.
What aspects did the CNIL request that you change?
It wanted us to review the consent that we were obtaining from end-users to access their location data.
In actual fact, Fidzup only gathers location data – the smartphone’s advertising ID or Wi-Fi login details, GPS location data, etc. Such data is of a non-personal nature since it includes no names or surnames, no addresses, no phone numbers and no email addresses. The CNIL, however, does consider this to be personal data on the grounds that it can be cross-referenced against external databases to reveal that the individual’s identity.
What action did you take?
The CNIL didn’t make any specific requests and, as we understood it, it was down to us to produce the text and the window that would be displayed to end-users in order to obtain their consent.
After our initial proposal was rejected by the CNIL we decided to work on a multi-partner window that would allow us to obtain consent not only for Fidzup but also for other players. We decided to offer a comprehensive list that would really be of help to publishers. We contacted the IAB, an organisation made up of online advertising companies. With their help, and on condition that we respected the framework in which consent was being sought, we obtained access to a list of members. As a result, we offer publishers the opportunity to obtain consent for over 500 partners through a single window.
We officially informed the CNIL that the work that we had undertaken seemed to meet the requests they had made in early October, with the platform now fully complying with the requirements of the GDPR. The formal notice was lifted on 29 November.
This consent platform has helped establish Fidzup as a pioneer…
Exactly. This multi-partner window has been perfected right down to the last detail. Fidzup it is now able to gather data with compliant consent, as well as supporting those publishers that so wish in ensuring their own compliance by offering access to its own solution for obtaining consent that will reflect the relevant regulatory changes. Of course, we are also committed to working solely with publishers who are GDPR compliant.
We are currently the only player in the drive-to-store market to have obtained both formal authorisation from the CNIL to do what we do and a sufficient volume of data to effectively support our clients in their campaigns thanks to a database compiled in accordance with the GDPR.