On March 5, 2024, the French data protection authority (CNIL) published its decision SAN-2024-003, as issued on January 31, 2024, in which it imposed a fine of €310,000 on FORIOU for violation of the General Data Protection Regulation (GDPR) following an investigation.

Background to the decision

In particular, CNIL highlighted that FORIOU carries out telephone canvassing campaigns to promote loyalty programs, and did so with data purchased from data brokers.

Findings of CNIL

CNIL outlined that to carry out cold calling campaigns, FORIOU purchased data from data brokers but clarified that the data collection by the brokers was done via participation forms in competitions or online product tests.

CNIL held that FORIOU could not rely on legitimate interest as a legal basis for the collection of such data, noting that FORIOU is not mentioned in the list of partners likely to approach affected data subjects, alongside failing to mention the categories of partners to which the data will likely be transmitted to. Accordingly, data subjects cannot legitimately expect to receive commercial offers from FORIOU.

In addition, CNIL detailed that the design of the forms used by data brokers from which FORIOU obtains data did not allow users to demonstrate their consent by a clear and unambiguous act, and instead acted to encourage data subjects to transmit their data to data broker's partners. Specifically, with examples provided, CNIL stipulated that the highlighting of buttons, both in size and color, prompted the transmission of data for commercial prospecting purposes. Further, CNIL found that the forms did not allow users to proceed without accepting the transmission of their data to the data broker's partners. Consequently, CNIL considered that the forms responsible for collecting data subjects' data did not allow them to demonstrate consent by a clear and unambiguous act.

Finally, regarding the consent of data subjects, CNIL provided that FORIOU is responsible for ensuring data subjects have expressed valid consent as a user of the data collected by data brokers. However, FORIOU was considered not to have imposed upstream contractual requirements on the data brokers as suppliers, and so no effective controls were imposed.

Considering the above, CNIL found that FORIOU acted in violation of Article 6 of the GDPR.

Outcomes

In light of the above violation, CNIL imposed a fine of €310,000 on FORIOU.

You can read the press release here and the decision here, both only available in French.