France: Commercial prospection, marketing and personal data protection

published on 20 September 2022 | reading time approx. 2 minutes

Companies, what are your rights?

The protection of personal data is regulated mainly by a European regulation ("GDPR") and, in France, by the "Liberty and Information Technology Act". More specifically, the use of personal data for marketing activities by electronic means (e.g. mailing) is also governed by the French Postal and Electronic Communications Code.

Many BtoC companies are still wondering whether and how they can use their customer or prospect files (which they are supposed to legally hold) to send electronic communications (especially newsletters). It should be remembered that any "processing" (exploitation) of personal data, such as the commercial prospecting policy, must be based on one of the six legal grounds provided for by the GDPR, including (i) law, (ii) contract, (iii) consent and (iv) legitimate interest of the company responsible for such data processing.

In the field of electronic prospecting (e.g. sending newsletters), economic actors have now well integrated the fact that the specific and prior consent of the individual person to the prospecting is the rule, such consent must be provable (dedicated signature, dedicated box to be ticked, video recording...). Online, this consent typically takes the form of a checkbox at the bottom of a form or, in stores, of a signature on an explanatory form. As a result, companies are now well aware that pre-checking the box for this consent is prohibited, as is the display of a single box for several distinct consents (e.g.: acceptance of the T&Cs + acceptance of prospecting). The customer's or prospect's action of consenting must be active and specific, and not forced or presumed.

However, in order to avoid collecting the prior consent of the targeted persons or out of negligence, some companies or agencies argue that it is in the 'legitimate interest' of any commercial business to prospect by email or online, in order to make their services known to the public, in particular to their customers.

An exception to 'consent' does indeed exist, whose legal basis is, this time, the 'legitimate interest' of the company. This exception is very limited and does not concern prospects. It only allows marketing communications to be sent to existing customers without consent if three conditions are met:

(i) the customer's data must have been collected DIRECTLY from them originally,

(ii) the communication must be for products or services ANALOGUE to those already provided to the concerned customer,

(iii) the customer has been correctly informed, at the time of collection as well as in each mailing, of his or her right to object to these e-communications... an objection that the company receiving it must deal with effectively, in accordance with the deadlines and procedures imposed by the GDPR. It is therefore an 'opt-out' instead of an 'opt-in'.

Whatever the situation, rule or exception, it should be remembered that, for the processing of personal data to be lawful, it is essential that the data subjects are clearly informed at the time their data is collected. The information must particularly concern (i) the nature of this processing (for a customer, generally via the purchase form or a link to the company's 'privacy' policy), (ii) the customer's or prospect's rights with regard to this processing and (iii) the methods for exercising these rights.

Thus, thanks to complete and comprehensible information, individuals must be able to easily either withdraw their consent (if consent is the legal basis) or oppose the processing (if the legitimate interest (opt-out) is the 

legal basis, with some exceptions...).

Let's go back to our ACCOR case: In this particular case, following several customer complaints and online and on-site checks by the CNIL, the regulating authority sanctioned Accor SA for failing to comply with several GDPR guiding principles:

• The box related to consent to receive newsletters was pre-checked, a perfectly inexcusable negligence. Thus, even if there was an appearance of willingness to collect consent, it was forced and therefore invalid;
  

• Accor sent its hotel guests a newsletter containing not only information on hotel services, but also on other services of the group (trips, visits…), and especially on offers from third-party partners (airlines, car rentals, etc.). The canvassing was therefore not limited to services 'analogue' to those already provided for the mentioned customers (hotel services) and their consent should therefore have been obtained, and correctly, from the outset; 
  
• This strict interpretation may pose a delicate problem for publishers of newsletters, which are generally sent to customers on the basis of the exception to consent, whereas the promotional information they contain is generally aimed at much more than just products or services similar to those already provided to the said customers!
  
• The prior information owed to the customers and prospects concerned was non-existent, and, a fortiori, no link was proposed, during the online contact, to a data protection policy;
• The choice of legal basis was therefore inappropriate ('legitimate interest' instead of 'consent');
  
• Accor had not implemented an effective management of the rights exercised by certain customers, and in particular the respect of deadlines for processing customers' requests for access, withdrawal of consent or objections to processing;

Another classic but too often neglected topic: the choice of passwords. Within the general question of securing a company's information system, and in particular access to storage tools for this or that category of personal data, the question of the choice of password is permanent and has already been the subject of many procedures and decisions. Even if the evolving security techniques tend to replace passwords by other identification keys, these are often still not in compliance with the principles set by the regulatory authority.

In this case, the CNIL found that the password for accessing the Accor database managing marketing mailings to customers and prospects was not strong enough. It should be remembered that the CNIL's guidelines require a password made up of 8 to 12 characters, comprising three or four of the following: a number, a capital letter, a letter and a special character. This is not the policy in most companies, which risk being denied certain compensation or insurance in the case of theft or hacking of their information systems.

All of the breaches observed at ACCOR concerned a considerable number of people, extended to several countries and affected fundamental principles of the GDPR that were supposedly well known, especially by international groups. Consequently, the CNIL, despite some corrections made by the group during the procedure, pronounced a high fine, after having been pushed by the EDPS (the European super-CNIL, in charge of coordinating the procedures of national authorities) to reinforce a first penalty deemed insufficient.

It should be noted that, a few weeks earlier, on June 23, the CNIL fined TotalEnergies one million euros, also for similar breaches related to a marketing policy that did not comply with the principles of the GDPR and the applicable French regulation.. In that case, TotalEnergies did however correct some of the breaches found, resulting in a "relatively" moderate penalty given the financial capabilities of the French international group.

If you have any doubts or questions about the compliance of your prospecting policy with the GDOR rules, do not hesitate to contact us.