CNIL investigations in 2024: minors data, Olympic Games, right of access and digital receipts

08 February 2024

Each year, some of the CNIL's inspections focus on priority topics it elects. In 2024, it said topics will be data relating to minors, files linked to the Olympic and Paralympic Games, electronic sales receipts and loyalty programmes, and people's right of access.

Every year, the CNIL carries out hundreds of inspections (340 in 2023) in response to complaints, reports of data breaches or current events.

The CNIL also defines priority topics in order to focus its inspection policy on subjects of high public interest and to assess the compliance of selected sectors. On average, these topics account for 30% of the inspections carried out.

Priority investigation topics in 2024

Data collection for the Olympic and Paralympic Games

Several million spectators and thousands of athletes are expected in France as part of this major international event. Major security measures will be deployed, justifying the CNIL's verification of the strict use that will be made of them. Checks will be carried out on the introduction of QR codes for restricted areas, access authorisations and the use of augmented cameras.

In addition to this security aspect, the CNIL will also be looking at the more commercial aspects of the Olympic Games, and in particular at the data collected as part of the ticketing services. In view of the number of people concerned and the event's partners to whom data could be sent, it seems necessary to ensure that the conditions under which this data is collected are compliant with the legal framework, by checking the information provided, the recipients of the data and the security measures deployed.

Data collected online from minors

Minors are being exposed to social networks, dating sites and online gaming platforms at an increasingly early age.  This can lead to the massive collection of information about their identity, preferences and lifestyle, with significant repercussions for their privacy, psychological well-being and socio-professional future.

During its investigations, the CNIL will be checking the applications and sites most popular with children and teenagers to see whether age control mechanisms have been implemented, what security measures are in place and whether the principle of data minimisation has been respected.

Loyalty programmes and electronic till receipts

The majority of supermarket chains offer loyalty programmes, which can involve the collection of a great deal of information about consumers: eating habits, household composition, children's age categories, presence of pets, etc. This data can then be re-used for commercial prospecting or advertising targeting.

In addition, the recent dematerialisation of till receipts, permitted by the law on reducing waste and favorizing circular economy, may also lead to additional processing of personal data, for example to enable the receipt to be sent by SMS or email.

These factors justify the CNIL taking an interest in the information shared with consumers and ensuring that consent is obtained before any data is re-used for advertising targeting purposes.

Data subjects' right of access

As part of the third action of the Coordinated Enforcement Framework of the European Data Protection Board (EDPB), the CNIL and its counterparts will be carrying out checks on the conditions under which data controllers implement the right of access.

The aim of this action is to harmonise the effective application of the GDPR and coordination between the supervisory authorities. The national results will then be pooled and analysed, enabling a better understanding of the subject and targeted monitoring at national and European level.