Solocal Marketing Services Hit with Fine for Data Consent Failures

Key Takeaways

• €900,000 Fine: Solocal Marketing Services was fined €900,000 by the CNIL for failing to obtain proper consent from individuals before using their data for marketing purposes and for sharing the data with third parties without a valid legal basis.
• Consent Issues: The data collection forms used by Solocal’s brokers were designed to mislead users, making it difficult for them to provide informed and free consent, violating GDPR requirements.
• Proof of Consent: Solocal failed to provide proof of consent for the data it received, leaving the CNIL unable to confirm that the data was legally processed.
• Ongoing Penalties: Solocal must cease its electronic marketing activities unless valid consent is obtained and faces a €10,000 daily fine for non-compliance, starting nine months from the order.

Deep Dive

Recently, the French Data Protection Authority (CNIL) handed down a €900,000 fine to Solocal Marketing Services, accusing the company of mishandling personal data for commercial prospecting campaigns. The fine stems from Solocal's failure to secure proper consent from individuals and its unauthorized sharing of this data with third parties.

The CNIL, after making commercial prospecting an area of focus in 2022, has been closely examining the practices of data brokers (those behind the massive data trade that feeds countless marketing campaigns). Solocal, which sources its data from these brokers, found itself under scrutiny after the CNIL’s investigation revealed serious issues with the way it handled user consent.

Solocal primarily relied on data brokers who collected personal information through game contest entries and online product testing forms. These brokers, positioned as the first link in a chain of data collection, then sold that data to Solocal, which used it for SMS and email marketing campaigns. This practice, however, quickly raised red flags.

The Investigation: A Flawed Consent System

The heart of the issue came down to one critical question: Was the data collected with valid consent? The CNIL’s investigation found that the forms used by data brokers were designed in a way that made it nearly impossible for individuals to give informed consent.

Here’s how it worked, the consent options were presented in a way that pushed individuals toward agreeing to the use of their data. The buttons for consent were large, bold, and hard to miss. In contrast, the option to opt-out was small, barely noticeable, and tucked away in the fine print. This design made it more likely that users would unknowingly consent to their data being used for marketing, undermining the transparency and clarity that GDPR demands.

On top of that, Solocal failed to prove that individuals had indeed consented to the use of their data. Despite claiming to have verified this through checks with their data suppliers, the company couldn’t provide the CNIL with any valid evidence that would demonstrate proper consent had been obtained. The result? A violation of GDPR’s consent and data processing requirements.

The Penalties: A Warning for Data Handlers Everywhere

The CNIL did not take this lightly. In addition to the €900,000 fine, Solocal was handed an order to cease its electronic marketing activities unless proper consent is secured from individuals. Failure to comply would lead to a €10,000 penalty per day, starting nine months from the order.

The fine was hefty, taking into account several factors: the vast number of individuals affected, Solocal’s established market position, and the financial benefit the company gained from these illegal practices. Furthermore, despite the CNIL’s findings, Solocal had only taken partial steps to bring its operations into compliance after the investigation was underway:

• Consent Issues: Solocal relied on data brokers who used misleading forms, making it nearly impossible for users to freely consent to their data being used.
• Proof of Consent: Solocal failed to demonstrate that they had valid consent for the data they were using. Without that proof, the CNIL could not verify whether the data collection process met GDPR standards.
• Delayed Action: Despite the clear findings, Solocal waited 17 months to stop using non-compliant data, making the situation worse in the eyes of the regulator.

For businesses using third-party data, this is a reminder to ensure the entire chain of data handling is above board and that clear, informed consent is obtained from every individual whose data is being used. Anything less not only risks a fine but also damages trust with consumers, a cost that's far too high in today's data-driven world.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.