The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company’s direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+’s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.
In addition to data privacy concerns, the decision also highlighted data security concerns as well. According to the CNIL the company did not use appropriate security measures when storing employee passwords. It also failed to notify the CNIL of subscriber data that resulted in that data being viewable to others for five hours.
Putting it into Practice: This case is a reminder to review marketing consents, even when information is being collected by a third party. Companies may also want to review their rights requests and breach notification procedures.
This article was co-authored by Sam Cournoyer.