CNIL has fined Carrefour France €2.25M for GDPR and e-Privacy violations and Carrefour Banque €800,000 for similar breaches. The fines included violations related to the placement of cookies on user’s devices as well as their processing of personal data contrary to the requirements of the GPDR. This article looks at the specific practices that were objectionable to CNIL in order to assist organisations to better understand the priorities of Regulators.
Cookie practices
Cookies have been in the Regulatory news lately as both the Irish DPC and French CNIL have signalled their intention to initiate enforcement actions for cookie practices that are contrary to each organisation’s guidance. The fine from CNIL for both organisations specifically mentions the placement of cookies on the user’s device automatically, without first obtaining consent. This is a common violation on web properties, even in cases where the organisation may have taken steps to achieve cookie processing compliance. Developers can sometimes create the necessary visual mechanisms for consent but place the cookies automatically on page landing, prior to consent actually being given. Instead, cookies, other than those strictly necessary to deliver the service to the user, should not be placed until positive consent is obtained from the user.
Data Protection practices
In addition to this, CNIL also found that the organisation was not respecting the requirements of the law in these specific areas:
- Data retention – Carrefour retained the data of 28 million inactive loyalty programme customers for five to ten years, despite their policy stating that data would only be retained for four.
- Data subject’s access rights – Carrefour did not act sufficiently on customer requests for deletion of their data or for blocking SMS and telemarketing. When data subjects requested access to or deletion of their data, Carrefour’s request for identity was deemed excessive. Finally, the company did not comply with the time limits for responding to Subject Access Requests (SARs).
Furthermore, although Carrefour had a privacy notice on its website. The notice did not align with the requirements of the law in these areas:
- Transparency – Information on data processing was not provided in a manner that was easy-to-understand.
- Lawful basis – Insufficient information was given to website users about the lawful basis for the personal data being processed.
- Data Transfers – Insufficient information was given on the transfer of personal data to other organisations.
What these fines demonstrate is that it is not enough to include cookie banners or privacy notices on a website, the practices behind them must also follow the specific requirements of the law.
In total, it is clear that Carrefour had some elements of data protection and electronic communications legal requirements in place. However, in each of these areas, the organisational practice did not follow the rules stated in publicly available documentation or internal policy. This case demonstrates that organisations must not only set policy – they must also check that policy is being followed through regular audits or compliance checks. This is particularly important in relation to cookie compliance, as legal experts and web developers speak different languages and often require translation to “get it right”.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience helping our clients navigate compliance with processing related to cookies and similar technologies. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help assess existing practices, perform gap analyses, and offer compliance support to facilitate compliance cookie processing. Our support services will help your business to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.