CNIL Fines Canal+ Over Marketing And Data Security Concerns

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company's direct marketing activities.
United States Privacy

Listen to this post

The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company's direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+'s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.

In addition, the decision against the company cited other alleged violations of GDPR. This included not disclosing in the company's privacy policy its data retention period. (The policy that was shared with users when they created a "MyCanal" account). It also included not giving privacy disclosures when contacting consumers by phone, and not responding to rights requests within a month after receiving them from consumers. It also, the CNIL indicated, did not respond to certain consumers' access requests.

In addition to data privacy concerns, the decision also highlighted data security concerns as well. According to the CNIL the company did not use appropriate security measures when storing employee passwords. It also failed to notify the CNIL of subscriber data that resulted in that data being viewable to others for five hours.

Putting it into Practice: This case is a reminder to review marketing consents, even when information is being collected by a third party. Companies may also want to review their rights requests and breach notification procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More