On 17 June 2021, the CNIL imposed a fine of 500,000 Euros and an obligation to comply within 3 months under a penalty of 500 Euros per day on BRICO PRIVÉ, a French company opearating a DIY private sales website bricoprive.com for :
- sending direct marketing e-mails without the consent of individuals and failure to comply with obligations relating to cookies (200,000 euro fine);
- breaching several provisions of the GDPR relating to the retention period, the obligation to inform individuals, their right to erase data and for a breach of data security (€300,000 fine).
The important point of this decision is the reminder by the CNIL of its position that the mere creation of a user account which is not followed by a purchase is not sufficient to send marketing emails without the user’s prior consent.
Background – procedure
The CNIL carried out three inspections between 2018 and 2021 at BRICO PRIVÉ, publisher of the bricoprive.com private sales website dedicated to DIY, gardening and home improvement.
This company operates in France, Spain, Italy and Portugal. During its inspections, the CNIL found several breaches concerning the processing of personal data of prospects and customers.
As the Company operates in several countries, the CNIL has cooperated with the supervisory authorities of the three countries in which BRICO PRIVÉ offers its services, but only for breaches of the GDPR and not the ones relating to the e-privacy directive or PECR (i.e. breaches of the regulations relating to cookies and trackers and to marketing, which are not subject to the cooperation mechanism).
Breaches of the GDPR subject to European cooperation
BricoPrivé breaches several provisions of the GDPR, including the provisions relating to the retention period, the information notice and the security as, for example, customers’ data/inactive accounts (of 130,000 customers) were kept for more than 5 years.
Brico Privé also breached its security obligations. Indeed, the company did not require the use of a strong password when creating an account on its website or when employees access the customer relationship management software.
In addition, employees’ authentication to access the company’s databases was insufficiently secure because the passwords used to access them were stored in clear text on a company computer.
Besides, BRICO PRIVÉ failed in its obligation to fully comply with the requests for deletion it received insofar as it only deactivated access to the account and kept the name, first name and email address.
Breaches not subject to European cooperation
These two points not being covered by the GDPR have therefore not been subject to the cooperation procedure between the European authorities.
Failure to comply with the obligation to obtain consent from individuals for commercial prospecting by e-mail (Article L. 34-5 of the CPCE)
According to the CNIL, the company sent, without obtaining their prior consent, direct marketing e-mail to users who had created an account on the site but had never made a purchase.
The CNIL considered that the mere creation of an account did not, by itself, allow BRICO Privé to send direct marketing e-mail.
The French Authority considered that the creation of an account did not allow BRICO Privé to rely on the exception provided for in Article 34-5 of the CPCE (or article 13 of the e-privacy directive), which allows to send direct marketing emails for similar products or services when the user has provided his or her own data in the course of a sale or provision of a service.
Thus, for the CNIL, only the purchase of a good or a service would have allowed the company to rely on this exception, the mere creation of an account not being sufficient.
Failure to comply with cookies (Article 82 of the French Data Protection Act)
The CNIL noted that cookies for advertising purposes were automatically dropped on the user’s terminal before the latter could have given its consent when visiting the Bricoprive.com website, which is contrary to the cookies’ rules requiring the users’ prior consent.
For all these reason set out above, and even though the company complied with certain points during the procedure, the CNIL imposed a global penalty of 500,000 euros on the company and an injunction to comply within 3 months of notification of the decision under a fine of 500 euros per day of delay.
If you have any questions, please do not hesitate to contact Arnaud Blanc, French Lawyer, GDPR expert.