CNIL (National Commission for Information Technology and Civil Liberties) commercial prospecting: how to cope with the GDPR ?

CNIL (National Commission for Information Technology and Civil Liberties) B2B & B2C commercial prospecting: Be GDPR compliant to prospect effectively and risk-free.

To carry out commercial prospecting, you must, according to the CNIL (National Commission for Information Technology and Civil Liberties) (Commission Nationale de l'Informatique et des Libertés), comply with the GDPR to protect citizens on the territory of the European Union and strengthen control over the use of their personal data!

The CNIL (National Commission for Information Technology and Civil Liberties) ) acts simply and free of charge to protect consumers' rights. This includes automated calling, also known as automatic calling machines, commercial prospecting by e-mail and all other forms of prospecting.

 When it comes to prospect research, you need to respect certain information rules, especially on your website or e-commerce site.

The most important general principle of the GDPR is informing people. You must inform clients and prospects - Publish:

• A compliant clients privacy policy
• A compliant cookie privacy policy
• A compliant cookies banner
• Information notices wherever necessary
• A mark of conformity

Privacy policy and cookies policy

Privacy policy aims to inform individuals about the processing of their personal data. It must clearly explain :

• What's it for?
• Who is it for?
• Why is data processed?
• What are the grounds for data processing?
• What data is processed and for how long? ...

 For the cookies policy, you must specify the purpose of cookies on the site, the categories of cookies used, etc.

It's also important to set up information banners on your forms, registration, newsletter or contact page. They should mention that the data entered will be processed. A link to the privacy policy is also required.

On the other hand, there's no need to add a checkbox. By taking this action, visitors indicate their interest and can be contacted. This only applies to B2B, as prior consent is mandatory for B2C. All prospects must give their consent to receive commercial prospecting offers.

Always respect the Opt out rules

💡You must never forget to allow your prospects to unsubscribe. The company must inform consumers of their right to object to this use at any time, simply and free of charge.

This can be done at the time of data collection, during prospecting communications or by contacting the company directly, otherwise it may lead to an aggressive exchange or you may end up with spam. Every prospect must have the right to object, and this right must be respected.

Prospects should also be informed of the sources from which their data is collected at the end of each email sent to a prospect. 💼

In general, the CNIL (National Commission for Information Technology and Civil Liberties) encourages companies to respect the principles of transparency and respect for consumer choice, by giving consumers the power to object to the use of their data for commercial prospecting purposes.

What to do with your prospects or clients who have requested Opt Out?

You should never delete these databases entirely, but transfer them to an "unsubscribed" database, otherwise you'll have no trace of the Opt out or you'll potentially prospect these people again. 📂

Be careful, however, to retain only the minimum information required to identify the prospect, and not all the personal data you have in your possession.

Control your technical service providers!

Another general principle of the GDPR is to control your technical providers. You must control your technical providers who process personal data on your behalf ! 🏆

Working with GDPR service providers

📜There are different types of processors. It is mandatory to check them for GDPR compliance. It is also necessary to check whether or not the provider is located within the EUe.g : USA) because, by default, the transfer of personal data outside the EU is prohibited. The use of tools such as Crisp or Calendly, which are in the USA, requires a prior contract.

🔑Alternatives to Google Analytics 3, which was banned in early 2022:

• Very complicated and very risky: you can request that Google Analytics 3 not display the IP address.
• Google Analytics 4 is Google's solution to this problem.
• Alternatives proposed by the CNIL (National Commission for Information Technology and Civil Liberties) : Matomo, ...

 

Be a compliant processors yourself

If you are a processor within the meaning of the GDPR, i.e. you process personal data on behalf of your clients (company, association...), it is necessary to include the DPA (Data Protection Agreement) in the GTCS.

Your clients will audit you frequently to verify that you are GDPR compliant.

Respecting the Data retention period

🔔 In B2B as in B2C, data may be kept for 3 years from the last interaction with the prospect or client for commercial prospecting purposes.

However, you can keep your clients' personal data until the end of your service.

Prior consent / Opt-in in B2B and B2C

Commercial prospecting is
very permissive in B2B in France

❌ There's a widely-held misconception about the need for prior consent in B2B for commercial prospecting purposes. It's false! there's no need for Opt in and the limit concerning the duration of Data retention is rather vague: 3 years but the B2B database can then be reused.

Within this framework, the transfer of databases is free, and the scraping of public information is authorized for commercial prospecting. For example, you have the right to legally purchase databases or obtain emails via LinkedIn databases.

B2B clients search by e-mail

✉ In B2B, you can carry out commercial prospecting by postal mail or commercial prospecting by e-mail.

⚠ However, there are some simple conditions to observe when prospecting:

• Inform prospects of the sources from which their data has been collected.
• Inform you that this is commercial prospecting.
• Give prospects the option of unsubscribing (The option of unsubscribing can take several forms: instruction, button, etc.).
• You can only prospect people related to your business (e.g. if you sell flour, you can only target professionals who need it).

GDPR B2B prospecting: Prospecting generic emails

Generic emails are not personal data, since they contain no information about an individual.

The GDPR doesnot apply to generic emails. However, it is recommended to respect unsubscribe requests to preserve your reputation.

B2B prospecting by mail, telephone and SMS

Commercial canvassing by e-mail, post or telephone is possible, provided that individuals are able to object to such use simply and free of charge (B2B). 

According to the CNIL (National Commission for Information Technology and Civil Liberties), you have the right to carry out commercial prospecting by SMS, but people must first be informed.

Commercial prospecting is much more regulated in B2C.

⚡ Consent is one of the legal bases provided by the GDPR on which personal data processing can be based. The CNIL (National Commission for Information Technology and Civil Liberties) published an article on January 26, 2022 which stipulates that consent for commercial prospecting must be free, specific, informed and unambiguous. This means that consumers must give their consent beforehand and actively, rather than ticking a pre-ticked box or being automatically added to a prospecting list.

⚠ In B2C, consent is mandatory for prospecting. The prospect must agree before you can process their data and send them a sales prospecting email, for example.

B2C commercial prospecting by email

Advertising by e-mail is possible provided that individuals have explicitly given their specific and informed consent before being canvassed. Individuals must be informed in advance if they wish to receive commercial offers or have their personal data used for marketing purposes.

Consent must be free, specific, informed and unambiguous. To be valid, it requires simple, free acceptance of the Data subject (for example, a dedicated checkbox that is not pre-ticked). Acceptance of general conditions of use is not sufficient. The agreement must be voluntary.

In B2C, you need the prospect's consent to prospect by e-mail.

How to create a database of prospects who have consented to be prospected :

1. Buy a database of B2C prospects who have consented to be prospected and are part of your target audience.
2. Build up your database through newsletter subscriptions, webinars, competitions, etc...

B2B prospecting by mail, telephone and SMS

✨This is quite possible provided that the people have been :

• previously informed of the use of their data for prospecting purposes at the time of collection; 💼
• Able to object to this use simply and free of charge.

It is important to note that the GDPR imposes requirements for commercial prospecting, particularly for a telephone number. Companies must ensure that data has been obtained legally and used in accordance with the purposes for which it was collected.

Specificity of the phone number / SMS: you cannot prospect people registered on the Bloctel database.

Is it possible to contact a client to sell them a product other than the one initially purchased?

💻 In B2C, you have the right to contact a client to sell them another product, but under certain conditions:

If the prospect is already a customer of the company, and if the prospecting concerns similar products or services supplied by the same company. Put another way, youonly have the right to contact a client if the product you are selling them belongs to the same product family as the product you sold them. 💬

If not, you need to find a way toget their consent to be canvassed on this other product. That's what B2C cross-marketing is all about.

Are there any checks by the CNIL (National Commission for Information Technology and Civil Liberties) ?

⚠ According to the CNIL (National Commission for Information Technology and Civil Liberties)), in 2022, three priority themes have been chosen by the College of the CNIL (National Commission for Information Technology and Civil Liberties) : commercial prospecting, the surveillance of workers in working remotely and the use of cloud computing.

The CNIL (National Commission for Information Technology and Civil Liberties) indicated in its report for 2022 that prospecting would be its main focus this year.

• 72% of French people are opposed to their personal data being stored outside the European Union 🔒
• 66% of French people say they can change providers if they're not GDPR according to Ifop poll for OVH in 2021. 📁
• Leadjet, Dropcontact, etc. are now staking their success on GDPR compliance
• Possibility of having a label 💼

So YES, there are CNIL (National Commission for Information Technology and Civil Liberties) checks on commercial prospecting practices, and the CNIL (National Commission for Information Technology and Civil Liberties) has made this one of its priorities.

CNIL (National Commission for Information Technology and Civil Liberties) commercial prospecting: penalties

The CNIL (National Commission for Information Technology and Civil Liberties) can impose administrative fines of up to 4% of worldwide annual sales.

The CNIL (National Commission for Information Technology and Civil Liberties) may also publish the sanction. This has a major impact in terms of reputation and image.

In particular, this sanction was imposed on the Adtech startup Fidzup which failed to recover and went bankrupt!

The CNIL (National Commission for Information Technology and Civil Liberties) also finedNESTOR 20,000 euros and published the penalty on their website for sending commercial prospecting emails without first obtaining the consent of prospects and for failing to comply with several GDPR obligations.

Where do the complaints come from?

📣Contrary to popular belief, the main GDPR risks don't just come from the CNIL (National Commission for Information Technology and Civil Liberties)

Risks also come in :

• • From your clients (in the event of complaints, specific requests, GDPR compliance audit, etc.) who may engage your Accountability in the event of breaches. 📃

• • Of your employees, as the GDPR is now one of the main negotiating levers in the event of HR litigation.

• • From your partners, who can impose GDPR compliance or terminate contracts in the event of non-compliance. 🔔

• • From your competitors, who can easily destabilize your structure by using GDPR.

Worse still, the negative effects of GDPR non-compliance are almost invisible yet very real!

🔍Today, 66% of French people, according to an Ifop poll, say they are ready to give up a digital service in the event of a breach of the GDPR.

More concretely, if the client has the choice between you who are not compliant and your competitor who is compliant, the client will tend to choose your competitor! 💼

Are the rules the same throughout the European Union?

No. The GDPR is not the only text to regulate commercial prospecting. Each country has its own specificities. This complicates the task for companies marketing in Europe. 🌍

🇫🇷 For example, France is one of the most permissive European countries in terms of B2B prospecting rules. Germany and Italy, for example, do not allow B2B prospects to be contacted without consent. As a result, prospecting methods are totally different.

For your information, commercial prospecting in France is governed by the CPCE.