Commercial prospecting: HUBSIDE.STORE fined €525,000
On April 4th 2024, the CNIL fined HUBSIDE.STORE 525,000 euros for having used data supplied by data brokers for commercial prospecting purposes, without ensuring that the individuals concerned had given their valid consent.
Information background
HUBSIDE.STORE carries out phone and SMS prospecting campaigns in order to promote products sold in its stores (mobile phones, laptops…). Data of solicited prospects are purchased by the company from data brokers and publishers of competition and product testing websites.
On the basis of the findings made during the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the misleading appearance of the data collection forms used by data brokers responsible for collecting the data did not allow valid consent to be obtained from the individuals concerned. HUBSIDE.STORE could therefore not legally carry out its canvassing operations by SMS (breach of the provisions of Article L. 34-5 of the French Post and Electronic Communications Code or CPCE) and by phone (breach of the provisions of Article 6 of the General Data Protection Regulation or GDPR).
In addition, the restricted committee considered that, during its prospecting operations by phone, the company did not allow individuals to be sufficiently informed, in breach of Article 14 of the GDPR.
The restricted committee imposed a fine of 525,000 euros on the company, which was made public. The CNIL cooperated closely with its counterpart (Belgium, Italy, Spain, Portugal) when examining the draft decision as part of the one-stop shop procedure, as HUBSIDE.STORE processes data from customers and prospects in several member States of the European Union.
The amount of the fine, which represents around 2% of the company's turnover, was decided in the light of the seriousness of the breach and the responsibility assumed by the organisation using the data collected. The restricted committee also considered the fact that HUBSIDE.STORE made extensive use of commercial prospecting.
Breaches sanctionned
Failure to comply with the obligation to obtain consent to receive commercial prospecting by electronic means (Article L.34-5 of the CPCE)
In order to carry out its phone prospecting campaigns, HUBSIDE.STORE purchases prospect data from several data brokers. Data are collected by the data brokers via participation forms for competitions or online product testing on various websites.
The restricted committee considered that the misleading appearance of these forms made it impossible to obtain free and unambiguous consent, as required by the GDPR, which would provide a basis for the company's prospecting operations by SMS.
Examples of forms used by data brokers:
Indeed, the prominence given to the buttons requiring users to transmit their data for commercial prospecting purposes (by their size, colour, title and location), compared with the hypertext links enabling users to take part in the game without accepting this transmission (of a much smaller size and blending in with the body of the text), strongly encouraged users to accept.
It is up to the company, as the user of the data collected, to ensure that the individuals concerned have expressed valid consent. In this respect, the restricted committee noted that, although the company had imposed certain contractual requirements on its data suppliers upstream, no effective control of these requirements was carried out downstream. Thus, the CNIL noted a significant proportion of non-compliant prospect files.
Failure to comply with the obligation to have a legal basis for processing data (Article 6 of the GDPR)
The restricted committee mentioned that, while commercial canvassing by telephone may be based on the legitimate interest of the company, it is on condition that the individuals concerned, at the time their data is collected, are informed that they may receive commercial prospecting from this company.
However, the CNIL found that the competition forms used to collect prospective customers' data did not systematically include HUBSIDE.STORE in the list of partners likely to contact the persons concerned.
Failure to comply with the obligation to inform individuals (article 14 of the GDPR)
Investigations revealed that individuals canvassed by telephone did not have all the necessary information on the collection and use of their personal data (for example, the identity and contact details of the organization, the purposes for which the data was used, the retention periods, the source of the data, their rights or even their possibility of lodging a complaint with the CNIL).
The restricted committee explained that this information was essential to allow individuals to exercise their rights, such as accessing and rectifying their data, or objecting to further solicitations, simply and free of charge.