A ruling in France against a small ad tech firm at the end of October could prove to be a defining moment for data privacy and advertising in Europe.

France’s data protection authority, the Commission nationale de linformatique et des libertés (CNIL), issued a warning [in French] to Vectaury – which collects and processes geolocation data for programmatic advertising – because its consent management platform (CMP) used to collect consent from publisher and SSP partners doesn’t give users the opportunity to provide explicit consent.

The French firm’s consent management platform was created using IAB Europe’s GDPR Transparency and Consent Framework, which could now be in question.

Vectuary collected data on 67.6m users from more than 32,000 apps but, when the CNIL audited its server logs, the company wasn’t able to provide a consent string through its CMP for every single ID. This problem arises out of the fact that collecting user consent can be difficult for DSPs, SSPs, and DMPs, so they rely on publishers to get consent on their behalf and this consent is then passed within a CMP.

In the case of Vectuary, as a data controller, the CNIL concluded that it cannot just rely on partners to gather consent and must also verify that the consent is valid. In turn, this means placing multiple uses of data behind a single ‘click to agree’ format does not equate to valid consent under the General Data Protection Regulation (GDPR).

“What comes out of this decision is that the CNIL does not appear opposed to consent as a legal basis for the processing data for digital advertising and targeting,” Townsend Feehan, CEO of IAB Europe, told AdExchanger, which first reported the CNIL decision. “It’s just a question of whether the conditions for consent are met in the execution.”