Teemo, a French startup was the first company to be admonished by the GDPR for gathering data without informed consent. However, on October 11th they were cleared. How was this possible?
The French data protection authority - the ‘Commission national de l’informatique et de libertés”, in short CNIL, gave Teemo an ultimatum in July. They could either obtain proper consent for their data processing activities, provide a disclosure and set limits for data retention.
It took 2 months before Teemo put in place all of CNIL’s requirements and the company had to toss out all R&D resources to be compliant. Now its partners have to display a banner during the app’s installation a banner that allows users to provide informed consent for data collection before data is actually collected.
Many believed it was unlikely for Teemo to be fined in the first place. However, their case proves that DPAs want to look at the good intentions of companies and their efforts to comply and not just hand fines as soon as there’s a chance.
Blaine Kimrey, a shareholder at Vedder Price in Chicago, says that the GDPR is “mainly intended to guide behavior, to encourage compliance, not as a vehicle for penalizing”. He adds, “The potential penalties are severe under GDPR and they’re definitely there for a reason, but the people I’ve heard speak about GDPR, including those involved in its drafting, don’t see penalties as the standard enforcement proceeding”.
Fidzup, the second company called out by CNIL at the same time with Teemo, is still making progress towards compliance by developing a consent management platform and cooperating with CNIL to test the platform. A decision has yet to be made by CNIL regarding Fizdup, but company representatives feel confident that their efforts will make a difference.