The French Data Protection Authority (CNIL) recently imposed a EUR 310,000 fine, representing 1% of its turnover, on FORIOU, a telemarketing company promoting loyalty programs. The fine stemmed from FORIOU’s use of individuals’ personal data it purchased from data brokers. The consent form to use the data contained flaws and was in violation of the GDPR.

The CNIL’s Decision

The data brokers from whom the company purchased the personal data obtained it by registering users on various gaming websites. During registration, users received certain information about the future use of their personal data and provided their consent.

CNIL found that the way consent was obtained from users did not meet GDPR requirements. Specifically, how the different options regarding their personal data were presented to them was not compliant. Therefore, FORIOU could not rely on the consent obtained and use this information for its own purposes.

CNIL found data brokers didn’t list FORIOU as a partner likely to receive personal data, among other issues. It further found that the forms the data broker used deprived users of their right to free choice. Rather, they designed them in a way that led users to prefer the option of transferring personal data to the data broker and its partners. The problematic construction of the forms, referred to as dark patterns, included features such as:

• Placing prominent consent buttons in terms of size and color and inconspicuous decline buttons.
• The absence of the possibility to continue using the website without providing data to the data broker’s partners.
• The absence of the possibility to express explicit consent.

Importance of the Decision

The CNIL’s decision is significant because it imposes direct liability on a corporation. This occurs even in situations where the collection of personal data and obtaining consent from users are achieved by a third party and not directly by the corporation. The decision imposes an active obligation on companies wishing to purchase personal data. They must verify all privacy aspects of the suppliers’ activity, including the practical means of obtaining consent for data use from users. Companies should not rely solely on contractual representations.

Recommendations for the Future

Businesses that purchase personal data for marketing purposes, especially in Europe, or businesses that rely on suppliers to obtain user consent for the collection of their personal data, should review the way their suppliers operate:

1. Review how the supplier actually obtains users’ consent, particularly the appearance of the form and the options offered to users.
2. Ensure users receive all information regarding the purposes of the use of their personal data, its transfer to other parties, and the details of those parties.
3. Ensure that you have a proper contract in place that allows for indemnification in cases where you have not lawfully obtained the data subjects’ consent.
4. Ensure users have the option to refuse to provide their personal data or to receive the service without providing their personal data to third parties.

[View source.]