CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
CNIL, the French Data Protection Authority (DPA), is becoming a driving force for changes in data privacy practices recently as it has released guidance requiring consent for the disclosure of personal data to third-parties for marketing purposes, as well as issued Google a GDPR fine for invalid consent and a lack of transparency.
The CNIL guidance on the requirements to share data with third-parties for marketing purposes under GDPR and other laws was published in French at the end of December. The guidance establishes five criteria and targets sharing with partners and other organizations (such as data brokers) for use for prospecting by SMS text message or over email.
Here is an overview of the notice from CNIL:
1. Organizations must obtain consent before sending to third parties.
2. Forms collecting data must identify the third-party recipients of the data (through either an exhaustive and regularly updated list or a link to the list of partners along with a link to their privacy policies).
3. Individuals need to be informed of changes in the list, including especially new partners.
– Must include list of partners in each email.
4. The authorized recipient of data may not transmit consent to another organization without collecting informed consent again.
5. Third-parties receiving data must provide information about the exercise of the individual’s rights and the source of the data on their first communication.
This must occur at the latest within one month.
– If a company receives an objection from an individual, they must pass it on to their partners with whom they have shared the individual’s data.
Here is a link to the CNIL disclosure in French.
— GDPR Statistics Published
The European Commission has also issued an infographic with data from the European Data Protection Board for Data Protection Day (usually referred to as Data Privacy Day here in the United States). The numbers include several informative GDPR statistics that are worth sharing:
The Data Protection Authorities have received 95,180 complaints from individuals and organizations on behalf of individuals since GDPR went into effect. However, it is possible that some complaints originating after May 25th related to matters that happened before the effective date. The most common complaints have centered around telemarketing, promotional emails and CCTV/video surveillance.
The DPAs have received 41,502 data breach notifications from organizations. Article 33 requires organizations to report a personal data breach without undue delay and where feasible within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
There have been 255 investigations of cross-border cases since May 2018. Most of those investigations were started after receipt of an individual complaint.
There have been three GDPR fines issued so far, with the French CNIL fines of 50 million euros against Google by far the largest. The other fines total just 25,000 euros combined, levied against a social network operator and a sports betting cafe.
Twenty-three member states have put into force national legislation to implement GDPR. There are still five countries in the process of doing so. These member states are Bulgaria, Czechia, Greece, Portugal and Slovenia.
Here is the link to the infographic: GDPR in Numbers (PDF).
More Resources:
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.