Privacy & Information Security Law Blog

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Online Purchases

In the context of online purchases, the Guidelines make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent. Although visual cryptograms should not be retained at all, the merchant may archive bank card numbers for up to 15 months (i.e., the time period during which a cardholder may challenge a charge).

Direct Marketing by Mail and Telephone

The Guidelines also focus on direct marketing by mail and telephone, reiterating that companies must (1) inform individuals of any possible commercial use of their personal data (either by the company itself or by business partners), and (2) enable individuals to object to such use when their data are collected.

Direct Marketing by Email, SMS and MMS 

Turning to electronic direct marketing, the Guidelines note that, with a few exceptions, companies must obtain the individual’s prior consent (“opt-in”) to send marketing communications by email, SMS and MMS.

Contests, Sweepstakes and Refer-a-Friend Programs 

With respect to contests and sweepstakes, the Guidelines emphasize that web users must be able to participate in online contests without being obligated to receive commercial communications. The Guidelines further clarify that the players’ electronic contact details may not be used for marketing purposes, except with the individual’s explicit consent.

Consumer Tracking 

Finally, the Guidelines address the issue of consumer tracking and the fact that the individual’s prior consent must be obtained when using geolocation information for commercial purposes, and when placing or accessing cookies or any other similar technologies on the user’s device. In certain cases, some cookies may, however, be placed without the users’ prior consent. For example, if the cookies are used for security purposes with respect to a service requested by the user (such as online access to the user’s bank account information).

The CNIL issued these Guidelines to increase merchant and consumer awareness and to help all parties understand their respective rights and obligations under French data protection law. In 2012, 20% of the complaints the CNIL received were related to commercial practices, in particular, direct marketing. When conducting inspections, the CNIL found that the majority of French data protection law violations pertained to unfair or illicit collection of personal data, failing to provide (or providing inaccurate) information to individuals, and not honoring the right to object to personal data processing.