In a decision dated August 3, 2022, the CNIL’s restricted section ordered ACCOR SA to pay a fine of 600,000 euros and to publish the decision on the CNIL’s website and on Légifrance for non-compliance in prospecting.
The forbidden combo: consent box pre-checked by default, commercial offers from partners, impossibility to exercise the right to object.
ACCOR is a hotel group that processes data across borders.
The company is accused of processing prospecting data. Indeed, when a person made a reservation with the hotel staff or via the website of one of the ACCOR group’s brands, the box relating to consent to receive the newsletter was pre-checked by default and the person automatically received a newsletter containing commercial offers from partners.
It is also accused of technical anomalies, which recurred over several weeks, making it impossible for a significant number of people to effectively oppose the receipt of prospecting messages.
As is often the case, complaints from dissatisfied consumers are the reason for the CNIL’s inspection.
The CNIL has received complaints, has taken the lead and has collected the complaints received by the supervisory authorities that have come forward under the procedure provided for this purpose by the GDPR.
The CNIL then began its inspection of ACCOR in February 2019 with exchanges of letters, followed by an on-site inspection, and then by a report detailing the failures to be corrected.
The failures detected are related to the rules of consent, information and exercise of rights in the context of prospecting.
The CNIL found ACCOR in breach of the following obligations:
- the obligation to obtain the consent of the person concerned to process his or her data for commercial prospecting purposes (Article L. 34-5 of the French Post and Electronic Communications Code).
- the obligation to inform the person (Art. 12 and 13 of the GDPR): the company did not inform the persons concerned in an accessible way of the information required when creating a customer account or when joining the ACCOR group’s loyalty program. The company also did not mention the consent as the legal basis for the treatment, for the prospecting to promote the products or services of third parties.
- the obligation to respect the right of access of individuals to data concerning them (art. 12 and 15 of the GDPR), as the company did not respond to a complainant’s requests in a timely manner.
- the obligation to respect the right of opposition of the persons concerned (art. 12 and 21 of the GDPR), as the company did not take into account the complainant’s requests that no more commercial prospecting messages be sent to them, due to malfunctions.
- the obligation to ensure the security of personal data (art. 32 of the GDPR), as the company allowed the use of insufficiently robust passwords. The CNIL also criticizes the company for inviting a person to transmit his or her identity document by e-mail, without the data in question being encrypted.
How to avoid this?
=> Apply 2 rules for commercial prospecting and be aware of the scope of the exception to rule 1.
1. Prior information of the persons concerned
Information on the processing and on the rights of the person
Simple way to object (unsubscribe link – contact)
2. Prior consent of the persons concerned
Free, specific, informed and unambiguous consent
Prohibition of pre-checked boxes by default: a positive action by the person concerned is required (unchecked)
Exception if the situation meets 2 cumulative conditions:
- The prospect is already a client* of the company
- The prospecting concerns similar products/services provided by the same company
* Please note that this exception only applies if a sale or service has been made. Thus the creation of an account is not considered as a sale or a service.
=> Implement a well-understood and applicable law enforcement procedure in the organization
2 things to know:
- Consumers are over-solicited and annoyed by the prospecting and use of their data
- Most of the CNIL’s controls are prompted by complaints from individuals.
With this in mind, the importance of allowing people to exercise their rights in a timely and clear manner cannot be overstated, allowing them to be heard and respected and to immediately defuse any conflict.
This presupposes that an internal procedure for responding to requests from data subjects is clear, well understood and applied.
So… make your teams aware!
The TAoMA Data protection team