FORIOU Faces Fine from CNIL for Unlawful Use of Data

FORIOU, a company specializing in marketing loyalty programs and cards, has been slapped with a substantial fine of €310,000 by the French data protection authority, CNIL (Commission Nationale de l'Informatique et des Libertés). The penalty comes as a result of FORIOU's use of prospect data obtained from data brokers for commercial prospecting purposes without ensuring valid consent from the individuals involved.

The CNIL's restricted committee, responsible for issuing sanctions, conducted investigations and determined that the data collection forms used by the data brokers provided a misleading appearance. This deception made it impossible to obtain valid consent from the individuals, leading to FORIOU having no legal basis for utilizing the data for canvassing purposes. This action is deemed a violation of Article 6 of the General Data Protection Regulation (GDPR).

The €310,000 fine, equivalent to approximately 1% of FORIOU's turnover, reflects the severity of the breach and the responsibility borne by the organization in using unlawfully obtained data.

FORIOU conducts phone prospecting campaigns to promote its loyalty programs and cards, purchasing prospect data from data brokers and publishers of competition and product testing websites. However, the CNIL found that the misleading appearance of the forms used by data brokers, collected through competition and testing sites, made it challenging to obtain free and unambiguous consent—a requirement under the GDPR.

The restricted committee highlighted the prominence given to buttons encouraging users to transmit their data for commercial prospecting purposes, compared to smaller hypertext links allowing participation without data transmission. This design strongly influenced users to accept data transmission.

While FORIOU had imposed contractual requirements on its data suppliers, the CNIL noted a lack of effective downstream control, leading to a significant proportion of non-compliant prospect files. Additionally, the competition forms did not consistently mention FORIOU as a potential partner approaching the individuals, further contributing to the lack of clarity and valid consent.

The CNIL emphasizes the responsibility of companies to ensure valid consent from individuals for the use of their data. This fine serves as a warning to organizations about the importance of transparency and compliance with GDPR regulations in the realm of data acquisition and commercial prospecting.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.