The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company’s direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+’s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.
In addition, the decision against the company cited other alleged violations of GDPR. This included not disclosing in the company’s privacy policy its data retention period. (The policy that was shared with users when they created a “MyCanal” account). It also included not giving privacy disclosures when contacting consumers by phone, and not responding to rights requests within a month after receiving them from consumers. It also, the CNIL indicated, did not respond to certain consumers’ access requests.
In addition to data privacy concerns, the decision also highlighted data security concerns as well. According to the CNIL the company did not use appropriate security measures when storing employee passwords. It also failed to notify the CNIL of subscriber data that resulted in that data being viewable to others for five hours.
Putting it into Practice: This case is a reminder to review marketing consents, even when information is being collected by a third party. Companies may also want to review their rights requests and breach notification procedures.