Online clairvoyance: COSMOSPACE and TELEMAQUE fined €250,000 and €150,000
On 26 September 2024, the CNIL fined COSMOSPACE and TELEMAQUE, notably for excessive personal data retention, collection of sensitive data without valid consent and for failing to comply with the rules governing commercial prospecting.
Background
COSMOSPACE and TELEMAQUE provide remote clairvoyance services, one by telephone and the other via online chat and text messages.
Inspections carried out by the CNIL in 2021 revealed several breaches, including the collection of sensitive data without prior explicit consent (in particular health data and data relating to sexual orientation), the retention of data for an excessive period, the sending of commercial prospection communications to people who had not given their consent and, in the case of COSMOSPACE, the systematic recording of telephone calls.
As a result, the restricted committee - the CNIL body responsible for issuing sanctions - imposed a fine of 250,000 euros on COSMOSPACE and another one of 150,000 euros on TELEMAQUE. In both cases, these fines were adopted in cooperation with approximately fifteen European counterparts of the CNIL.
The amounts of these fines were decided on the basis of the seriousness of these breaches, the number of people concerned (the database shared by the two companies containing the data of more than 1.5 million people) and the sensitivity of the data processed. The financial situations of the companies and their structures were also taken into account, in order to set dissuasive but proportionate fines.
Sanctioned breaches
Failure to comply with the obligation to minimise personal data collection and processing by COSMOSPACE (Article 5.1.c of the GDPR)
COSMOSPACE systematically recorded all telephone calls made between clairvoyants, customers and switchboard operators. The company considered that such recordings were justified to monitor the service quality and for training purposes, to demonstrate that the contract had been taken out and properly performed, to respond to legal requests and, lastly, for the purposes of safeguarding human life.
The restricted committee considered that these purposes did not justify recording all calls in a complete and systematic manner, specifying that these recordings should be limited, on the one hand, to a sample of conversations to verify the service quality and to ensure the training of employees and, on the other hand, to calls made between operators and customers or prospects for the part clearly relating to the conclusion of the contract. The restricted committee also considered that in the event of calls from people in distress, employees could manually trigger the recording.
Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e of the GDPR)
COSMOSPACE retained its customers’ data for six years from the end of the commercial relationship, in order to be able to send commercial prospection communications.
The restricted committee recalled that the CNIL recommended a retention period limited to three years for this purpose and considered that the company had not demonstrated the need to retain the data twice as long. It emphasised the inconvenience that could be caused by sending such messages over such a long period.
TELEMAQUE retained its customers’ data in an active database for a period of six years, without restricting access to this data or sorting it in any way.
The restricted committee recalled that if certain customer data could be retained at the end of the commercial relationship (for example, for litigation or pre-litigation purposes), it was the company's responsibility to sort through this data, to retain only what is necessary for these purposes, and to limit access to it by archiving it on an intermediate basis.
Failure to comply with the obligation to obtain prior consent from individuals to process special categories of personal data (Article 9 of the GDPR)
During consultations by telephone, chat or text messages, customers may be asked to reveal data relating to their sexual orientation or sex life, their religious beliefs or their state of health. Moreover, the online users of COSMOSPACE and TELEMAQUE could fill in a form to make a prediction about their compatibility with a person of their choice, enabling them to deduce their sexual orientation.
The companies should have obtained the prior and explicit consent of their customers to the processing of their sensitive data. The restricted committee pointed out that the mere willingness to receive clairvoyance services and to spontaneously provide sensitive information could not be considered as explicit consent. The companies should also have provided specific information about the collection of this sensitive data.
Failure to comply with the obligation to obtain consent to receive commercial prospecting by electronic means (Article L.34-5 of the French Postal and Electronic Communications Code - CPCE)
In order to carry out their commercial communications by emails and text messages, COSMOSPACE and TELEMAQUE had a common database containing all the data of their customers and prospective customers. This data was collected in particular via forms on the websites set up by the two companies.
The restricted committee considered that the appearance of these forms did not allow the persons concerned to be clearly informed that their data could be used indifferently by one or other of these companies. Consequently, COSMOSPACE could not rely on the consent obtained by TELEMAQUE on its behalf, and vice versa.