The Paris-based Teemo, a technology company that specializes in location data, was the first company that failed European Union’s Global Data Protection Regulation (GDPR) compliance.
When Benoit Grouchko, the CEO and co-founder of the company, opened a letter from the Commission nationale de l'informatique et des libertés (CNIL), he experienced the shock of his life.
"It was by far the hardest time in our company because it was such an intense crisis," said Grouchko. "We were very thoughtful about our strategy in becoming GDPR compliant. We worked with lawyers and we wanted to make sure we had done everything the right way."
Teemo was caught by GDPR because it tracks users' location data from third party apps. French regulators said that users who downloaded those apps had to specifically provide consent that Teemo could use their location data.
Because Teemo had no easy way for users to opt out, the company failed GDPR's regulations.
After realizing that it failed to comply the rules, Teemo quickly dumped all their R&D to reach the compliance, that according to Alexandra Chiaramonti, Teemo’s managing director for France.
The company changed many of its operations, and made a good faith effort to comply, knowing that regulators won't really care about putting small companies out of business. It took the company two months to implement everything the CNIL was asking for.
The fine for violating GDPR's rules comes with a hefty price.
For Teemo that is regarded as a small company, and also with the fact that it was at the time struggling financially, the fine can simply decommission it.
To meet the compliance, Teemo’s publisher partners must display a banner during the app installation process that gives users the opportunity to provide their informed consent for data collection before any of their data is actually collected.
Teemo also start putting a link to direct users to a page that details more information on their data rights, including the duration of retention.
“If everyone is willing to find a reasonable solution which serves each party’s interest, we can get there,” said Alexandra Chiaramonti. “GDPR doesn’t have to be scary; it can benefit the industry as a whole by building trust from the general public and making this market a lot healthier.”
Teemo then expanded its operations to the U.S., where regulation was still imminent.
Another company that was also caught, was Fidzup, also a French company that collects location data.
Fidzup stresses that it is privacy safe, though not in the same explicit fashion as Teemo. The company also said that it uses only anonymous data and "doesn’t know who you are." After a warning by the French regulators, FIdzup stated offering an opt-out provision on its website.