The beginning of 2021 is characterized by a new sanction pronounced by the French Data Protection Supervisory Authority (the « Commission Nationale de l'Informatique et des Libertés or “CNIL”), against the company Nestor, which is specialized in the elaboration and delivery of meals for office workers.
Although the 20,000 euros fine may be seen as light in comparison with the much heavier penalties imposed by the French Data Protection Authority in 2020, this new decision is nonetheless important as it tackles the conditions under which commercial prospecting through social networks can be carried out by using a very widespread practice: scraping.
Among the various violations that were pointed out, one in particular caught the French Authority's attention: the commercial solicitation of identified prospects via LinkedIn without any consent.
To justify its decision, the CNIL noted that Nestor had built up its database of prospects using web-scraping on the basis of online data available on the “company's professional social networking website". This database allowed the firm to contact more than 600,000 prospects.
According to the CNIL, though the data were made accessible to the public through the professional network, these prospection actions constitute a breach of Section L.34-5 of the French Postal and Electronic Communications Code, which prohibits direct prospecting without the consent of the data subject.
The Commission found that:
- The messages sent for the sale of meals at the workplace only
have a slight connection with the prospects' professional
- The CNIL previously stated that when individuals who have posted their data do not reasonably expect to be prospected, the reuse of the data for commercial purposes is only possible with their consent.
- An individual who publishes his or her professional email address on a professional social network does not reasonably expect to be prospected for catering services.
- Prospects have not been informed of the collection of their data and have not been given the opportunity to consent to the processing of their data.
This decision is an opportunity to review the rules to apply when prospecting via professional social networks.
Rule #1: Beware of web-scraping
Given the increasing number of data extraction providers and software, the CNIL has had the opportunity to state its position on the practice of web-scraping (or extraction of publicly accessible data).
Data extraction is allowed when a certain number of conditions stemming from the French Data Protection Act are observed.
Rule #2: Check the origin of the data
This includes LinkedIn's T&Cs which state that : « You agree not to develop, support or use software, devices, scripts, robots or any other means or processes (including but not limited to web crawlers, browser plug-ins and add-ons, or any other technology) to web scrap the Services or otherwise copy profiles and other data from the Services ».
In this case, the extraction and reuse of the data is not allowed, and penalties may be imposed.
Rule #3: Obtain consent
In terms of commercial prospecting by email, the rule is as follows: no commercial message without the recipient's consent.
Even though the data is made publicly and voluntarily accessible, the prospects' consent must be obtained prior to any commercial solicitation.
Indeed, advertising by e-mail is possible provided that individuals have explicitly given their consent to be contacted, upon collection of their e-mail address.
There are two exceptions:
- If the person contacted is already a client of the company and if the prospecting concerns products or services similar to those already provided by the company;
- If the prospecting is not of a commercial nature (e.g., charitable prospecting).
In general, it is necessary to ensure that the consent collected is free, specific, informed and unambiguous.
Rule #4: Ensure the exercise of the right to object
Pursuant to Article 21 of the European General Data Protection Regulation (GDPR), the data subject has the right to withdraw his or her consent and to object to the processing of his or her data at any time.
The various communication channels must provide a simple means for any person to object to the processing (URL link to object, "STOP" phone number) and ensure, where applicable, the application of anti-spam lists such as the French BLOCTEL system for telephone canvassing.
Rule #5: Apply specific retention periods for direct marketing
Personal data relating to a non-customer prospect may be kept for a period of 3 years from the date of collection or the last contact from the prospect.
A request for documentation or a click on a hyperlink contained in an e-mail constitutes a positive act. However, the opening of an e-mail cannot be considered as a contact from the prospect.
Rule #6: Comply with the GDPR general obligations
As for any other processing, the general principles of personal data protection must be complied with.
This will include :
- minimizing data collection,
- informing the data subjets about the processing of their data,
- supervising relations with processors (web-scraping service providers), and
- if necessary, carry out a data protection impact assessment (DPIA) prior to processing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.