September 26, 2021

Volume XI, Number 269


September 24, 2021

Subscribe to Latest Legal News and Analysis

Data-Scraping: A Stern Limitation by the French Data Protection Authority to Direct Marketing Practices

The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and delivery company catering to office employees (see full decision here in French).1

Various breaches of the General Data Protection Regulation (GDPR)2 and the ePrivacy Directive regarding the processing of prospects and clients’ personal data were highlighted by the CNIL, most notably:

  • The lack of prior consent of the prospects to receiving direct marketing communication by electronic means, thereby violating Article L.34-5 of the French Post and Electronic Communications Code (CPCE);3 

  • The failure to properly inform individuals4 whether:

    • Upon the creation of their account on the company’s platform, or

    • Upon indirect collection through external sources;

  • The failure to properly address data subjects’ access requests (DSAR).5

While the fine is rather limited in view of the maximum potential amount of EUR 20 million or four percent of the turnover (whichever the greater), this decision remains an opportunity to look at web scraping and direct marketing practices, which are rapidly developing.


NESTOR built up a database of prospective clients by automatically collecting personal data made publicly available through third party platform, a practice known as “data scraping” or “web-scraping”, massively used by startup and emerging companies to quickly develop their marketing campaigns.

This database, comprising 635,033 contacts, had been established through a plurality of third party services:

  • The personal data was initially collected through LinkedIn’s “Sales Navigator” functionality, which lists all individuals working in a company and in a given region;

  • A second company then added the professional e-mail addresses of the individuals; and

  • A third company proceeded with the dispatch of prospecting e-mails on behalf of NESTOR.

Under Article 13.1 of ePrivacy Directive, such practice would require a GDPR-compliant6 consent by the data subject prior to sending direct marketing communication through electronic means. Indeed, the ePrivacy Directive prohibits direct marketing via “electronic means” (i.e. emails, text messages, facsimile or automated calling machines7), unless such marketing practices are undertaken by the entity which effectively directly collected the personal data in the first place, within the framework of a sale of a product or the provision of a service, and aim to offer similar products and services.

This Article of the ePrivacy Directive was subsequently implemented under French law in the Article L.34-5 CPCE.

Provided that NESTOR did collect the personal data not from the individuals themselves but through LinkedIn’s functionality, prior consent was therefore required.

In addition, companies relying on indirectly collected personal data also fall within the scope of Article 14 GDPR, which mandates the provision of certain information to data subjects, at least within 30 days from the provision (or harvesting) of their personal data.


While the ePrivacy Directive has been implemented differently in various EU Member states (and while waiting for its successor, the ePrivacy Regulation, to harmonize this area), the CNIL interpretation may have EU-wide consequences for all companies.

Most notably, certain EU Member states elected to implement the ePrivacy Directive with a strict interpretation, i.e. consent requirement for all data subject recipients. Other included a consent exemption for B2B direct marketing. In that regard, France’s exemption takes the form of a single webpage (non-binding and likely to be amended at any time) on its website stating that prior information and a right of opposition offered to professionals is sufficient for direct marketing purposes.

NESTOR built its defense on that exemption, arguing it therefore did not require any prior consent and could instead rely on its legitimate interest as a legal basis for the direct marketing operations through electronic means.

However, the CNIL swept away that argument on the basis that messages regarding food delivery in the workplace had little connection with the prospects’ effective professional activity, despite being performed during such professional activity. According to the CNIL, a direct link between the marketing operation and the prospects’ professional activity was necessary to justify relying on legitimate interest.

Additional aggravating factors consisted in the lack of information provided to the individuals about the processing operations and the lack of opportunity to oppose such collection.

This decision has been published six months after the CNIL released its position on the collection of publicly available personal data (see our previous alert here) and is a stark reminder that the mere availability of data online would not, in and of itself, justify their collection and re-use without proper diligence. Moreover, aside from data protection concerns, data scraping may also be subject to additional restrictions, such as intellectual property or database protection.


This decision might seem anecdotal given its amount. Nevertheless, its significance is not simply based on its fine’s low amount but rather on the subject matter of the decision itself, as it is a firm limitation by the CNIL to the practice of web scraping via third party platform, such as LinkedIn, for direct marketing purposes, and a potential indication that the current B2B exemption may come to an end, at least under its current scope.

To give greater significance to this case, the CNIL made the decision public, and provided a very comprehensive article of this decision on its website, detailing the various breaches committed by the company.

This significance is also highlighted by the decision published by the CNIL the previous day, on 7 December 2020, against PERFORMECLIC8 which also addressed direct marketing and indirect collection (however not related to data scraping). This seems to indicate that further investigations on direct marketing practices are a priority for the French Supervisory Authority for this year.

1 CNIL, Decision SAN-2020-018, 8 December 2020 (in French).

2 Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3 Article L.34-5 of the French Post and Electronic Communications Code (in French).

4 Article 12 and 13 GDPR.

Article 15 GPDR.

6 As pointed out in the European Data Protection Board (EDPB)’s opinion on the interplay between the ePrivacy Directive and the GDPR, when consent is required under the ePrivacy Directive, consent would necessarily be required as the legal basis under GDPR.

7 It does not, however, restrict postal marketing or direct phone call with human operators.

8 CNIL, Decision SAN-2020-016, 7 December 2020 (in French).

Copyright 2021 K & L GatesNational Law Review, Volume XI, Number 69

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...


Clara Schmit is an associate in the firm’s Paris office. She is a member of the commercial technology and sourcing practice group.

She advises clients in matters related to information technology, intellectual property and data protection law. Ms. Schmit has expertise in industries of media and telecommunications, e-commerce, advertising, health, online services and luxury.

She advises French and international clients on issues relating to:

  • The compliance with and implementation of the European data protection framework, including the General Data...