After Google Analytics, will the CNIL tackle the entire advertising chain?

After Google Analytics, will the CNIL tackle the entire advertising chain?

According to our information, new formal notices were sent to French publishers this summer. Tomorrow they could concern all the tools allowing an advertising impression, without forgetting Subscribe with Google and other Google Connect.

It is an understatement to say that the return of French premium publishers is agitated. According to our information, between July 27 and August 8, several of them were given formal notice by the Cnil to make their use of Google Analytics comply with the General Data Protection Regulations (GDPR). These decisions are the first that the Cnil would have communicated in response to complaints filed on June 23 with the French authority by the French developer David Libeau against 42 French media for use of Google Analytics. Asked by the JDN to find out if publishers have been given formal notice, the Cnil declares that it cannot communicate on these complaints at this stage, insofar as they are still under investigation.

The publishers are perplexed: they are asked to take the necessary measures within a month, but these same measures would lead to consequences deemed harmful to their economy and untenable in the long term. The reason given is simple: whether it involves adapting the use of Google Analytics, in particular through proxying, or adopting a third-party tool deemed to be compliant, the link between the information from the analytics and the advertising tools will disappear.

Informal meeting between publishers and Cnil

A concrete example of the impact of this disruption concerns the cost of traffic acquisition: “It often happens that publishers have to use SEA to attract audiences to their site: the absence of analytics information leads to a increase of around 40% in the price of auctions on search”, explains a technical manager of a major French media. And the costs of alternative solutions would be much higher. Consultations are underway between the various bodies representing publishers and their management companies and an informal meeting should take place soon with the French authority so that additional details can be obtained on the feasibility of the recommended solutions.

But that is only the tip of the iceberg. Many players in the digital advertising industry recognize that the reasoning used by the CNIL for an American analytics tool could theoretically apply to almost the entire advertising chain: ad servers, supply side platforms (SSP), demand side (DSP), data management platforms… We hardly ever say it publicly, but we think it no less. The reason is that any advertising impression for which the user’s consent has been obtained for the removal of tracers for measurement or targeting purposes passes through these tools with personal data, the most common of which is IP, and this in a context where an overwhelming share of these technologies are American, starting with Google itself.

“I’m sure Subscribe with Google will be next on the list”

And it doesn’t stop there. Tools that allow publishers to facilitate the connection of their readers, such as Google Connect or Facebook Connect (complaints have already been filed with the CNIL, against the Huffington Post in particular), or subscription decision-making such as Subscribe with Google, very popular with major media brands, could be just as concerned. “I am convinced that Subscribe with Google will be next on the list,” confides the technical manager of a major French media, information that has been confirmed to us by a professional organization well placed to know. “I hope that we will still not come to that and that the authorities which direct us will help us to operate our daily businesses with a little more serenity and fairness”, declared this summer to the JDN the boss of a major French audiovisual company. She then alluded to the imbalance of an advertising market dominated by international platforms and evoked the long-awaited prospect of new regulations to regulate these transfers thanks to the agreement in principle announced on March 25 by the United States and the European Union, which has remained for the moment at the political project stage

Asked by the JDN about the likelihood that such technologies could justifiably be the subject of complaints and later of formal notices, the Cnil replied to the JDN: “We cannot respond to the organizations listed because the Cnil, in as a regulatory body that can pronounce sanctions, is required to follow a legal process framed by law and respecting the rights of the defence, before deciding on a file. during the investigation, any communication of elements would be excluded. If the Cnil were to receive complaints, we would examine the tools in question and question the stakeholders. Depending on the findings and exchanges, the Cnil would always have the possibility of implementing the chain of repression.”

“Depending on the findings and exchanges, the Cnil would always have the possibility of implementing the repressive chain.”

Let us remember the basis of the reasoning that led the Cnil, in consultation with its European counterparts, to give formal notice on February 10 to several organizations using Google Analytics because of illegal data transfers to the United States. “This includes collectively drawing the consequences of the Schrems II judgment of the Court of Justice of the European Union (CJEU) of July 16, 2020, which invalidated the Privacy Shield. The CJEU had highlighted the risk that the American intelligence services access the personal data transferred to the United States, if the transfers were not properly framed”, indicated the Cnil to explain its decision. And as Alexandra Iteanu, lawyer in charge of the GDPR and data division of Iteanu Avocats, explained to the JDN, even the standard contractual clauses, provided for by the GDPR, which could regulate and secure these types of transfers, do not apply in the case of the United States because the federal legislation in force in the US does not offer the same level of requirement and protection as the GDPR. Worse still, this same legislation gives American authorities the possibility of accessing data hosted on the computer servers of any subsidiary of American companies located in other countries. To sum up, according to this interpretation, working today in France with American technologies to manage personal data means exposing yourself to future complaints and consequent formal notices from the Cnil. Case to follow.

Leave a Comment