CNIL publishes guidance on the disclosure of data to business partners for direct marketing purposes
On December 28 2018, the French Data Protection Authority (the "CNIL") released guidance on the disclosure of data to business partners for direct marketing purposes. In essence, the CNIL enumerates five rules that companies who collect data directly from data subjects must comply with when disclosing such information to business partners and other organizations. The essential provisions of the said guidelines are summarized below.
- In what context do these rules apply?
The rules set out below are meant to apply to:
- companies who collect personal data directly from their clients;
- via online or paper forms;
- who share this data with business partners or other organizations who may then use such data for their own direct marketing campaigns. The CNIL does not say whether these rules only apply to third party companies and organizations. Supposedly, that is is how these rules are meant to apply and so intra-group data sharing would not be concerned by these rules.
- either by SMS or email marketing (other forms of marketing, such as telemarketing, seem to be accordingly excluded).
- What are the rules set out by the CNIL?
The CNIL recalls that to be valid, the disclosure of data must comply with the GDPR provisions in order to allow data subjects to exercise control over their own personal data. In particular, the CNIL has set out the following rules:
Rule 1: the data subject must give consent prior to any disclosure of his/her to a business partner and/or other organization who intends to use the data for the purposes described above.
Rule 2: the data subject must be able to identify the recipients of data (i.e. business partners) via the form used to collect the data.
On this point, the CNIL provides for two possible modalities:
- Either the data controller gives access to an exhaustive list of all the data recipients via the form itself and this list must be regularly updated;
- Or, if the list is too long, the data controller should provide a link to such a list and to business partners' respective privacy policies.
Rule 3: the data subject must be informed about any changes in the list of recipients, in particular when new business partners have been added.
As a general rule, the information provided to the data subjects must specify the name of the company who initially collected the data and the rights of the data subjects (in particular the right to object the marketing). In addition, the CNIL considers that the data controller must provide up-to-date information about the list of recipients to the data subjects in the following manner:
- First, the initial data controller should provide an updated list of all the recipients in each e-mail or marketing communication that is sent to the data subjects.
- Second, whenever a business partner receives the data from the data controller, it must, at the time of the first communication with the data subjects and at the latest within one month, inform the data subjects of the processing of their data.
According to the CNIL, this two-step process will enable data subjects to follow the entire data life cycle more accurately and allow them to exercise their rights more effectively.
Rule 4: consent of the data subject must be obtained by the initial data controller and is only valid for the processing activities that are carried out by the business partners with whom it shares the data. In other words, if a recipient of the data (i.e. a business partner) shares the data with another third party who intends to use the data for its own marketing campaigns, the first recipient must obtain prior consent from the data subjects prior to doing so and inform the data subjects about the recipients of the data. Consequently, the obligations to provide notice and obtain consent flow from one recipient to another, but consent itself is not "transferable" and has to be renewed by every subsequent recipient of data.
Rule 5: Each business partner who is a recipient of the data and who in turn contacts the data subjects, must indicate, at the time of their first communication, how data subjects may exercise their rights, in particular their right to object as well as the source of the data. There are two ways for data subjects to exercise their right to object:
- Either they exercise this right directly with the recipient of the data;
- Or they exercise this right with the data controller who collected their data initially who then has an obligation to notify all its recipients that an individual has exercised this right to object.
There are different ways in which companies can comply with these rules, depending on the means used to communicate with the data subjects, the manner by which consent is obtained as well as the interface used to provide notice to the data subjects.
- What is the impact for companies?
The principles above are not new and on the contrary they derive from the GDPR and the EDPB's guidelines on consent and transparency. For example, article 14 (2) (f) of the GDPR requires data controllers and processors to indicate the source of the personal data whenever data is not obtained directly from the data subject. However, the CNIL's interpretation of these rules is useful because it provides a more practical understanding of how companies must comply with the notice and consent principles of the GDPR. For example, the combination of rules 2 and 3 is likely to make it more burdensome for companies who share data with third parties because this will require them to review and update their lists of recipients periodically. Furthermore, this will require more collaborative work between the controller who collects the data from the customer and the business partner with whom it shares the data, particularly with respect to the handling of the data subjects' requests. Inevitably, this will require adding specific terms in agreements between controllers and their business partners to ensure that such recipients provide the necessary assistance to the data controller to allow the controller to comply with his obligations under the GDPR.
Lastly, while the CNIL's guidelines do not target data brokers specifically, they will inevitably have an impact on this business sector. Data brokers are already under significant scrutiny by the CNIL since it published its list of data processing operations for which a data protection impact assessment (DPIA) must be carried out. Indeed, the CNIL considers that profiling activities that rely on data obtained indirectly from third party sources (e.g. data obtained by data brokers) is likely to result in a high risk. As a result, companies who rely on data brokers for their marketing campaigns are going to have to reassess their marketing strategy in light of this guidance.
Special thanks to Paola Heudebert for her valuable contribution to this article.