Digital marketing company Fidzup was one of four “drive-to-store” French startups that faced a wave of regulations after Europe began applying its updated data protection framework in May 2018.
Last month, in a final Medium post, co-founder and CEO Olivier Magnan-Saurin revealed that his company had hit the deadpool.
He put the blame for the demise of his startup squarely on the local data watchdog, writing unequivocally that “the CNIL [The Commission nationale de l’informatique et des libertés] killed us.”
But his arguments are about how France’s federal agency in charge of enforcing data privacy laws went about enforcing the pan-EU General Data Protection Regulation (GDPR) — not with the core principles of the legislation itself, which seeks to ensure that personal data is gathered fairly and protected properly. It also gives users rights over their data, such as letting them view a copy of information held on them or have it deleted or corrected.
“GDPR the law is good,” Magnan-Saurin tells us. “It’s going in the right direction. We didn’t run out of business because of GDPR. And I don’t argue with the things that the CNIL asked us to change for the consent collection and everything — we had to do that and that’s perfectly normal. But in the process itself — there is a lot to say.”
Previously, we talked to Fidzup (in December 2018) when Magnan-Saurin was feeling optimistic, having come through a multi-month process of fixing how the company collected consents from mobile users for the purpose of tracking their location to target them with ads and carry out conversion tracking.
At that point Fidzup had come up with a consent management platform (CMP) that met CNIL requirements and was evaluating the idea of turning its CMP into an additional business opportunity to help others get their consents in order.
The company’s business relied upon an SDK deployed to partner apps that tracked smartphone users who came into proximity with physical retail stores where Fidzup had installed gear that could identify the devices. This allowed it to offer a location-based ad service that could push retailers’ ads to mobile users when they were near a partner store, thereby driving in-store traffic. The system was also able to track ad-to-store conversions for retail partners.
The problem that led to the CNIL’s intervention was that Fidzup relied on consent from users as its legal basis for tracking users’ locations, but this did not meet GDPR’s standard, which requires consent to be informed, specific and freely given.
In simple terms, Fidzup was tracking a lot of people’s movements without them being aware, yet it claimed it was legally able to do so because users had consented.
The attitude in the digital marketing sector prior to GDPR coming into force had been focused on gathering 100% of the data, according to Magnan-Saurin. But with updated consent rules and a new enforcement regime wrapping data protection across the EU — including, for the first time, the threat of major fines — a shift was inevitable. And, he says, manageable.
Under Fidzup’s reworked consent flow, they went on to obtain a consent rate of between 50-70% of app users — a major drop, but not a decline that should have been terminal for the business.
Magnan-Saurin said there’s scope for app publishers to take more responsibility for educating users about why they’re asking for consent; consumers should recognize that developers monetize their data to cover the costs of offering free services.
“I think that the publisher has to make some effort of evangelization,” he says. “I don’t see that many mobile apps or websites telling that to their audience — and I think it’s too bad. Because a lot of people would understand better why we’re asking them for their data and why we [target them with] advertising if we explain the business model behind that.”
But in Fidzup’s case, the problem was more fundamental than needing a little extra help from app makers to grease its data pipe: He says the regulator’s public warning simply scared away customers. The process of defusing the warning also took a full five months, during which time Fidzup was burning through a lot of cash.
“During this time we did nearly zero business,” he says. “It was very difficult because some existing clients took precautions with their legal teams saying you have to pause what you are doing with Fidzup because of the CNIL warning. With the new clients it was even worse because they were not in contact with us so they just said, ‘okay let’s talk again when we’ll be out of the CNIL warning.’ So for five months we did no business.”
At the end of the five-month period, when Fidzup had finally resolved the issues that led to the CNIL’s intervention, he was optimistic it could put the episode behind it. However, he says the reboot of the sales strategy took longer than expected — and, ultimately, the cash-crunch killed the company.
Asking investors to plough in more funding with a regulatory warning hanging over the business didn’t fly, either.
“It took a few months to get the new clients on board and to make the previous clients invest again in Fidzup,” Magnan-Saurin says. “Because when you go back to them five months after your collaboration they say, ‘okay, yeah I want to work with you,’ but in five months, I had to take some other option. And when you go back to them in January or February, they say, ‘okay yeah let’s do things again together, but maybe in March, April or May.’ So basically we lost nearly a year and it was a lot for our small company because we were a small company.”
A private warning would have offered his startup a greater chance of survival, says Magnan-Saurin, who says the company could have quietly worked with CNIL to fix the compliance problem without having to simultaneously deal with a body blow to customer confidence.
The regulator may have had a responsibility to issue a public warning, given what it has described as the “massive” scale of the consent-less tracking involved in the businesses it was calling out.
One could also say businesses that want to avoid damaging publicity attached to a public warning from a privacy regulator should avoid breaking the law in the first place. But on that front Magnan-Saurin argues that at the time there was a lack of clarity on how GDPR applied to the digital marketing sector.
“When we received the warning, there were no real guidelines from the CNIL in how you have to apply GDPR law for digital marketing. Those guidelines only went out in January this year in 2020 — nearly 18 months after that,” he says. “Of course, we knew the law but the application of the GDPR law is not the same in all the European countries and it was not very clear for us — for all the companies in the industry and also for all the specialized lawyer firms and all the specialists in the field it was not very clear.
“At the first point we got a warning — right — but why do you want to make it public? In a context where the guidelines are not clear for the company.”
Another point he raises is that while three other local businesses that were targeting the same drive-to-store space also received public warnings from the CNIL (Teemo, SingleSpot and Vectaury), these warnings were not all synchronized — with two being issued in July 2018 (to Teemo and Fidzup) and two others (SingleSpot and Vectaury) following later, in October and November, respectively.
This meant some of his direct rivals could be perceived as GDPR-compliant simply by merit of not yet having received a public warning, while Fidzup had been publicly branded non-compliant in its home market by the regulator — even though some of those same rivals would subsequently be hit with public warnings.
“When you do that you create [a market imbalance]. Not everyone is on the same page,” he says. “They didn’t have to make it public and they decided to make it public, so I’m asking myself why the CNIL said we want to use the warning — your warning — to teach the market how to do it. Okay, maybe, but is that the role of Fidzup and three other companies to be used as a teacher for other companies?”
He says some other players in the market never got a warning. Yet last year the CNIL held an industry meeting and working sessions that led the regulator to issue draft recommendations for online marketing at the start of this year. These guidelines came with a grace period that runs until September, before which it said it won’t issue any formal notices or sanctions.
“We would have loved to have had that before for Fidzup but we didn’t have this time and this information,” says Magnan-Saurin. “I think the right way is this way: ‘We are expecting that — we give you some time and after it’s very clear what we are expecting or not.’ “
In an earlier intervention in the dating apps space, he says the CNIL did issue synchronized warnings on all of the local apps when they carried out a sector audit, querying why the regulator didn’t apply that treatment to the drive-to-store market.
“At least all the companies are on the same page and treated equally but it was not the case in our market,” he says. “I think that it’s not a good thing because first you can kill some companies — at least if you don’t kill them they are weaker because of the warning. And in the other time all the other companies even if they are not compliant with GDPR law at the time they are seen as compliant for the other guys because they were not the one with the warning so it can lead to [market imbalance].”
We reached out to the CNIL with a number of questions, including asking why it did not make synchronized interventions in Fidzup’s market. It did not engage directly with specific questions but pointed to an earlier statement, issued to local press in response to Magnan-Saurin’s blog post — in which it writes (translated from French via Google Translate): “The need for prior consent, as well as the fact that it must be specific and result from positive action, had been known to actors for several years, and even before public notices were adopted.”
In the statement the CNIL also says it acted as a result of a 2017 audit which it said had shown very large-scale breaches related to the location-tracking of smartphone users — dubbing this “a particularly intrusive practice,” while also pointing out this practice required “prior consent both under the old data protection act and the GDPR.”
“The users of the mobile applications concerned (weather, cooking recipes, dating applications) were geolocated without having consented and without having been properly informed, which enabled them to be served with targeted advertising in relation to the places that they frequented. They were thus subject to close and permanent monitoring revealing their daily habits,” the regulator went on, adding: “The CNIL thus wished to launch an action with a wide echo to alert the millions of people whose data were collected and processed without their knowledge.
“In addition, an ecosystem was being built on the basis of such practices, it appeared necessary to quickly send a collective alert for all the companies likely to implement them, which only advertising [i.e. a public warning] allows.”
We also reached out to Teemo, SingleSpot and Vectaury to ask for their views on the CNIL’s process and how it had affected their businesses. Teemo told us its French business was also “put on hold” for several months after the CNIL’s warning.
“After three months we had an official statement from the regulator declaring our GDPR compliance. Those few months were tough, but since then it has been very reassuring to our customers,” said Benoit Grouchko, CEO and co-founder. “If the notice had not been specifically aimed at us and other specific companies, like in the form of a more generic heads-up/forewarning to the ecosystem, it certainly would not have had such a drastic short-term business impact.”
“Users obviously need more control and transparency over their data. This is a good thing for the ecosystem in general,” he added. “But we should keep in mind that the more difficult you make it to collect user data, the bigger the competitive advantage is for tech giants, as they have a much stronger relationship with their users versus any other independent entities, whether startups, media publishers, etc.”
The other two companies did not respond to our request for comment.
While there has been considerable variation in the speed with which data protection agencies across the EU have sprung into action to enforce GDPR’s leveled-up data protection regime, France’s CNIL does have a reputation for being one of the region’s more muscular regulators.
A year ago, it hit Google with a $57 million fine also related to a lack of proper consent to location-track users, whereas the Irish Data Protection Commission, the lead regulator for more of big tech (including Google), has yet to reach a single decision on major cross-border cases pertaining to major tech platforms. (Following CNIL’s penalty, Google made a change to its legal structure so data processing for its European users is now primarily regulated in Ireland.)
The CNIL’s statement also spotlights the enforcement it took against Google for similar consent-to-track issues — further noting that, as a result of the public warning process it applied to the smaller companies in the drive-to-store market, Fidzup (and others) avoided what could have been similarly hefty financial penalties.
This is cold comfort for Magnan-Saurin, who says the problem is that the fine Google received pales in comparison versus its parent Alphabet’s annual revenue. From his point of view, the relative impact of the CNIL’s approach to enforcement was still disproportionately tough for a small startup to survive versus a tech giant.
“It was nothing!” he says of Google’s $57 million penalty. “But for a small company like Fidzup getting a public warning from the French regulator in privacy — the impact is strong. And, as I said, we did nearly no business for five months. It’s a lot. I think they are not conscious of the impact of publicity.”
Still, it seems pretty clear a startup yet to turn a profit wouldn’t have had the resources to survive a hefty financial penalty either. So there were perhaps no harm-free outcomes possible. Additionally, the digital marketing sector CNIL audited in 2017 was clearly operating on borrowed time vis-à-vis lack of consent to track smartphone users’ movements, even if they may have believed there was safety in numbers.
There is now one less French startup to compete against foreign giants, which underlines the challenges European policymakers face in shaping digital regulations that don’t disproportionately disadvantage local startups. Not least because in parallel they have a stated aim of growing Europe’s digital economy and building local tech champions.
Enforcement should be focused on killing off bad business models rather than sinking the business itself.
So perhaps the answer is a more coordinated and impact-sensitive application of data rules that prioritizes clear goals and objectives and puts the enforcement onus on the most dominant internet platforms from where the greatest volume of harms are likely to flow, while, at least in the first instance, offering a hand of support to smaller players so they have a chance to fix abuses and build better rights-respecting European businesses.
Without a more joined-up approach to enforcing data protection rights across the bloc, it’s hard to see how the Commission can deliver on its stated aim of defending citizens’ rights while simultaneously encouraging a homegrown crop of tech talent that’s capable of beating out foreign giants.
Magnan-Saurin certainly wishes the national regulator in France had taken a less muscular approach against local players in the digital marketing space.
“I really have the sensation that Fidzup was sacrificed for communication and they wanted to make an example,” he says. “The CNIL was very specific about it. We want to teach the market. So I do think we were the collateral damage and we should not have been because the four companies that received the CNIL warning we were in advance in our market — comparing to all the companies in Europe, even in the U.S. So probably one of them… would have built maybe a European champion, maybe a worldwide champion I don’t know. But now it’s not the case.
“It’s too bad because if we take the big picture on the data we want to secure privacy and the personal data of the European people — and that’s a good thing. But if we kill the European companies who are handling this data it’s going to be the Asian or the American companies who are going to manage the data. And we know that in Europe we don’t have the same control over the data in those countries, in these areas of the world. So it’s not going in the right direction for me. I would like that the French companies are good in handling the personal data so we can have control over it. And if we kill the companies that do that it’s too late after that.”
One key point to note is that the GDPR’s one-stop-shop mechanism has had the effect of funneling big cross-border complaints — which pertain to (mainly) U.S. tech giants — through Ireland, where such companies choose to base their European HQ for tax reasons. And these major cases have been stacking up in Dublin since May 2018, with still (at the time of writing) no decisions issued vis-à-vis a plethora of GDPR complaints against the likes of Facebook and Google.
So, from the perspective of a startup like Fidzup, there are already very unequal impacts. It can argue the strongest enforcement has fallen on smaller, local players — given it wasn’t able to survive as a business; whereas Google’s parent company, Alphabet, generates revenue at such a staggering rate its business only needs a few hours to recoup a $57 million fine.
“I would love to see the way the Irish regulator will apply GDPR but I can bet that it’s not going to be as hard as the French regulator will apply GDPR because all the U.S. companies have their headquarters in Dublin — most of them. So I’m sure it’s not going to be the same interpretation of the GDPR law,” says Magnan-Saurin.
“I didn’t want to go to Dublin for Fidzup even with that! I was good in Paris but my point is the CNIL have to maybe be more careful to the companies and the value,” he adds. “We have a French president saying all day on the TV he wants to make France a startup nation. And it’s a way to help the startups develop value around the economy and the future of the economy is digital so maybe we have to work on that.”
It’s also worth pointing out that over the English Channel the U.K.’s ICO — which has a reputation as a more “business-friendly” regulator — continues, even now, to avoid bringing down enforcement hammers against companies operating in the real-time bidding programmatic ad space, despite agreeing with privacy campaigners that current practices are rampantly unlawful.
So, again, there are clear examples of substantial differences in enforcement of a regulation that was intended to harmonize Europe’s privacy patchwork.
Stories like Fidzup’s may therefore take a little of the shine off of the GDPR when in a couple of months’ time the Commission comes to report in detail on how the almost two-year-old regulation is functioning.
The new Commission president has talked boldly about wanting Europe to achieve technological sovereignty, a goal that will be tricky indeed if EU rules end up cutting off at the ankles homegrown startups, yet letting foreign-born FAANG giants stride on.
Improving enforcement of the GDPR may ultimately, therefore, require a rethink to (ideally) eradicate the one-stop-shop’s forum shopping effect; and/or enable national regulators’ resources to be (at least partially) pooled to speed up the regulatory process and avoid unnecessarily painful business bumps that can, for small companies like Fidzup, lead to terminal outcomes.
A patchwork of enforcement that leads to fast-track hobbling of local startups certainly won’t be cheered by Europe’s entrepreneurs if it also leaves platform giants unscathed.
A few months short of the GDPR’s second birthday, it remains the case that not all DPAs are equally active — while resources are sorely lacking for the scale of the task at hand — so there’s by no means a level playing field for Europe’s startups in terms of how the rules are being interpreted and enforced.
Getting more collaboration between national interests in a way that generates leadership on a nuanced issue like privacy is likely to prove tricky. So, in the meanwhile, the choice of where in the EU to locate your startup can be a strategic one, certainly if your business involves processing a lot of personal data.
What’s next for Magnan-Saurin? He says he’s currently winding up Fidzup but also thinking about his next challenge — formulating a plan to relocate to San Francisco.
“I’m looking more to have a good position in a cool company in the tech industry,” he tells us. “That’s my next step for 2020 and I prefer to be clear on that — I don’t go to the U.S. because of the CNIL or anything like that… It was just because I want to live for some time in the SF area. I have friends there and if you work in [the] tech industry it’s like the Champions League, so I would like to live that for a few years.”
Asked which steps he would like to see the Commission taking to support Europe’s startup ecosystem — with the new college of policymakers just starting to lay out their thinking, unveiling a plan to encourage industrial data reuse, for example, and set rules around how applications can apply AI — he says above all, businesses need clarity around how regulations apply.
“I speak with a lot of CEOs in digital marketing. Everyone wants to go in the way of the philosophy of the GDPR. Want to protect the people. There is no doubt about it. No one wants not to protect them. But we have to find the right way,” he says.
“There is a lot of spaces here in tech that will get impacted from the GDPR law. And a lot of precision and accuracy that the regulators in Europe will have to get. But it will take maybe some time — because it took 18 months for digital marketing so I think it’s going to be 2020, nearly 2021. As soon as it’s going to be clear, it’s going to help companies to invest their time and their money in innovation. And not regulation — and that’s important.”
Comment