Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.
Excerpt
Our analysis
In 2019, the French Data Protection Authority (CNIL) investigated the online retail store carrefour.fr, operated by Carrefour France, after receiving fifteen complaints related to the website between June 2018 and April 2019. The CNIL found several violations of the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique & Libertés), and the French postal and electronic communications code, including the use of deceptive patterns. Some of the violations included Carrefour sending prospecting emails to data subjects who had objected, not providing a positive response to data deletion and access requests, not including an unsubscribe link in commercial emails, keeping data on loyalty program members for four years after their last contact with the company, keeping a copy of a data subject's ID card after their request was met, and systematically requesting an ID card for the exercise of a right by a data subject, violating Article 12 GDPR. The CNIL also investigated the information provided to data subjects, including the spread of mandatory information on data processing across several web pages, making the information part of the terms and conditions of the loyalty program, and referring data subjects to the privacy policy on the carrefour.fr website without specifying the exact URL address. The use of vague wording was also a violation, such as "These treatments mainly include" and "for one or more of the following purposes for which your data may be used."
The CNIL reminded Carrefour France that the appropriate data retention period should be determined based on the purpose of the processing and the specifics of the business sector of the data controller. For loyalty program members of a retail company, the CNIL recommends a maximum retention period of three years. The CNIL found that Carrefour violated Article 5(1)(e) GDPR by keeping a copy of a data subject's ID card for up to six years when dealing with data subjects' exercise of rights. The systematic request for an ID in order to exercise a right was also a violation, making the exercise of right harder than it should be, and Carrefour exceeded regularly the one-month delay to answer a request. Regarding the right to information, the CNIL found that the information provided to data subjects was not easily accessible and not clear, concise, and transparent as required by Articles 12 and 13 GDPR. The information was spread-out across several web pages and not organised nor prioritised, and several mandatory information were missing or incorrect.
Outcome
In a joint effort with CNIL, Carrefour France has been sanctioned for the use of unprotected URL addresses that led to the public exposure of personal data. The violation of Article 32 GDPR resulted in a €800000 fine on Carrefour Banque, a sibling company of Carrefour France.
Parties
Carrefour France and CNIL
Case number
SAN-2020-008
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Grants individuals the right to access their personal data and receive information on how it is processed.
Grants individuals the right to have their personal data erased under certain circumstances.
Gives individuals the right to object to the processing of their personal data in certain situations.
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Requires controllers to notify the supervisory authority without undue delay if a personal data breach is likely to result in a risk to the rights and freedoms of individuals.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.