On 31 January 2024, the CNIL fined FORIOU 310,000 euros for using data supplied by data brokers for commercial canvassing purposes, without ensuring that the individuals concerned had given their valid consent to be canvassed.
Background
FORIOU carries out telephone canvassing campaigns to promote the loyalty programmes and cards it markets. FORIOU purchases data from data brokers and publishers of competition and product testing websites.
On the basis of observations made during inspections, the Restricted Section – the CNIL body responsible for imposing penalties – considered that the misleading appearance of the data collection forms used by the brokers responsible for collecting the data made it impossible to obtain valid consent from the persons concerned. FORIOU therefore had no legal basis for using this data for canvassing purposes, in breach of the provisions of Article 6 of the General Data Protection Regulation (GDPR).
It has imposed a fine of 310,000 euros, which has been made public.
The amount of the fine, which represents around 1% of the company’s turnover, was decided in the light of the seriousness of the breach and the responsibility assumed by the organisation using the data collected.
Lack of free and unambiguous consent and insufficient information
In order to carry out its telephone canvassing campaigns, FORIOU purchases prospective customers’ data from several data brokers. The data is collected by the brokers via entry forms for competitions or online product tests on various websites.
The restricted panel considers that the misleading appearance of these forms makes it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would form the basis for the company’s canvassing operations.
Examples of forms used by brokers:
In fact, the prominence given to buttons requiring the transmission of data for commercial prospecting purposes (by their size, colour, title and location), compared with hypertext links enabling users to take part in the game without accepting this transmission (of a much smaller size and blending in with the body of the text), strongly encourages users to accept.
It is up to the company, as the user of the data collected, to ensure that the persons concerned have expressed valid consent. In this respect, the select committee noted that, although the company imposed certain contractual requirements on its data suppliers upstream, no effective control of these requirements was carried out downstream. In this respect, the CNIL noted a significant proportion of non-compliant prospect files.
In addition, the competition forms from which the prospective customers’ data was collected did not systematically mention FORIOU in the list of partners likely to approach the persons concerned.