Data brokers: CALOGA fined €80,000

Context

As the CNIL made commercial prospecting a priority topic for investigations in 2022, it focused on the practices of professionals in this ecosystem, in particular intermediaries who resell data, known as data brokers.

Thus, the CNIL carried out investigations on CALOGA which got prospect data mainly from other data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain and at the origin of the collection of data from prospective customers, known as primary collectors). CALOGA used this data to operate commercial prospecting by e-mail to prospects on behalf of its advertiser customers. It may also pass on some of this data to its customers, so that they themselves could carry out electronic canvassing.

Based on the findings of the inspection, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with obligations under the French Post and Electronic Communications Code (CPCE) and the General Data Protection Regulation (GDPR).

It imposed on CALOGA a €80,000 fine which was made public.

The amount of the fine took into account the large number of people involved, the company's historical position on the market, the financial benefit derived from the breaches and the complete cessation of activity of the company in 2024.

Sanctioned breaches

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L. 34-5 of the CPCE)

CALOGA offered its customers (in particular companies) to carry out email prospecting campaigns on their behalf. To carry out these campaigns, the company used prospect data held by a number of data brokers, who collected the data via entry forms for game contests or online product tests on various websites.

The restricted committee considered that the misleading appearance of the forms did not make it possible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company

Illustrations of non-compliant forms used by data brokers (as examples)

Effectively, the prominence given to the buttons allowing users to use their data for commercial prospecting purposes (by their size, colour, title and location), compared to the hypertext links allowing users to take part in the game without agreeing to this use (of a much smaller size and blending in with the body of the text) strongly encouraged users to accept.

CALOGA used data collected by data brokers. Consequently, it must ensure that individuals had expressed valid consent before carrying out its prospecting campaigns.

The contractual requirements that the company imposed on its suppliers, upstream, and the checks that it claimed to have carried out, downstream, were clearly insufficient. In any event, it had not drawn the appropriate conclusions, insofar as forms investigated by the CNIL did not allow valid consent to be obtained

Failure to comply with the obligation to respect withdrawal of (Article L. 34-5 of the CPCE as referred to in Article 7 of GDPR)

The company organised its processing around four databases (or ‘brands’): CALOGA, ZEPLAN, BASYLO et VOZEKO.

The restricted committee noted that, under the system implemented by CALOGA, it was not possible for prospects to unsubscribe with a single click from the various CALOGA’ databases in which they were registered.

To do so, they had to send an e-mail request to the Data Protection Officer. It was therefore not as easy for prospects to withdraw their consent as it was to give it. Moreover, CALOGA named one of its four databases (or ‘brands’) ‘CALOGA’ which was confusing because the prospect, by clicking on the unsubscribe link entitled ‘do not receive any further offers from CALOGA advertisers’, could legitimately assume that his or her request was valid for de-registration from all the company's databases.

Failure to comply with the obligation to have a legal basis for processing data (Article 6 of the GDPR)

As part of its activity as a data broker, the company also transmitted databases to other partners, who sent commercial prospecting by e-mail for their advertiser customers. It based this data transmission on the legal basis of legitimate interest.

However, this processing must be based on the consent of the data subjects, which CALOGA did not obtain.

Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)

CALOGA applied a maximum retention period of twelve months from the last action taken by the ‘active’ prospect, taking into account in particular the date on which the email was opened. After twelve months, when the prospect was considered ‘inactive’, the company applied an additional retention period of four years for evidential purposes.

The restricted committee sanctioned this practice, noting that each time a prospect opened an email from the company - even inadvertently - the company extended the storage of this prospect's data in its databases, potentially without limitation. The restricted committee pointed out that prospects’ data may be kept for a period of three years from the date of collection or the last contact from the prospective customer (this contact cannot simply be the opening of an e-mail).

The restricted committee also noticed that the company did not archive any of its prospect data and kept it in an active database for a period of four years from the time the prospect was considered ‘inactive’. However, it was up to the company to sort through this data, to retain only the data strictly necessary for evidential purposes, and to limit access to it to only those people concerned.