Business

CNIL Commercial prospecting: How to cope with the RGPD ?​

Commercial prospecting is one of the CNIL’s priorities.
Here you’ll find the rules you need to follow to prospect effectively and safely.

Be RGPD compliant to prospect effectively and risk-free

To carry out commercial prospecting, you must, according to the CNIL (Commission Nationale de l’Informatique et des Libertés), comply with the RGPD to protect citizens on the territory of the European Union and strengthen control over the use of their personal data!

the CNIL (Commission Nationale de l’Informatique et des Libertés) acts simply and free of charge to protect consumers’ rights. This includes automated calling, also known as automatic calling machines, commercial prospecting by e-mail and all other forms of prospecting.

When prospecting, you must comply with certain information rules, particularly on your website or e-commerce site.

The most important general principle of the RGPD is informing people. You must inform customers and prospects – Publish :

  • A compliant customer privacy policy
  • A compliant cookie privacy policy
  • A compliant cookie banner
  • Information notices wherever necessary
  • A label of compliance

Privacy policy and cookies policy

The purpose of the privacy policy is to inform individuals about the processing of their personal data. It must clearly explain :

  • What is its purpose ?
  • Who is it intended for ?
  • Why data is processed ?
  • On what grounds is data being processed ?
  • What data is processed, and for how long ?

In the case of the cookies policy, it is essential to specify the purpose of the cookies on the site, the categories of cookies used, etc.

It’s also important to set up information banners on your forms, registration, newsletter or contact page. They should mention that the data entered will be processed. A link to the privacy policy is also required.

On the other hand, there’s no need to add a checkbox. By taking this action, visitors indicate their interest and can be contacted. This only applies to B2B, as prior consent is mandatory for B2C. All prospects must give their consent to receive commercial prospecting offers.

RGPD and
commercial prospecting: the main rules

Respect the Opt out

You must never forget to allow your prospects to unsubscribe. The company must inform consumers of their right to object to this use at any time, simply and free of charge.

This can be done at the time of data collection, during prospecting communications or by contacting the company directly, otherwise it may lead to an aggressive exchange or you may end up with spam. Every prospect must have the right to object, and this right must be respected.

Prospects should also be informed of the sources from which their data is collected at the end of each email sent to a prospect.

In general, the CNIL encourages companies to respect the principles of transparency and respect for consumers’ choices, giving them the power to object to the use of their data for commercial prospecting purposes.

What to do with your prospects or customers who have opted out?

You should never delete these databases entirely, but transfer them to an “unsubscribed” database, otherwise you’ll have no trace of the Opt out or you’ll potentially prospect these people again. 

Be careful, however, to retain only the minimum information needed to identify the prospect, and not all the personal data you had in your possession.

Control your technical service providers!

Another general principle of the RGPD is to control your technical service providers. You must control your technical service providers who process personal data on your behalf! 

Work with RGPD-compliant service providers.

There are different types of subcontractors. It’s mandatory to check them for RGPD compliance. It is also necessary to check whether or not the provider is located within the EU (e.g. USA) as, by default, the transfer of personal data outside the EU is prohibited. The use of tools such as Crisp or Calendly, which are in the USA, requires a prior contract.

Alternatives to Google Analytics 3, which was banned in early 2022:

Very complicated and very risky: you can make developments with Google Analytics 3 So that the IP address is not displayed.
Google Analytics 4 is the solution proposed by Google to solve this problem.
Alternatives proposed by the CNIL: Matomo, …

Be a compliant processor yourself

If you are a subcontractor in the sense of the RGPD, i.e. you process personal data on behalf of your customers (company, association…), it is necessary to include the DPA (Data Protection Agreement) in the GTCS.

Your customers will audit you frequently to check that you are RGPD compliant.

Respecting data retention periods

In B2B as in B2C, data may be kept for 3 years from the last interaction with the prospect or customer for commercial prospecting purposes.However, concerning personal customer data, you can keep them until the end of your service.

Commercial prospecting is very permissive in B2B in France

There’s a widely-held misconception about the need for prior consent in B2B for commercial prospecting purposes. It’s not true! There’s no need for Opt in and the limit concerning the retention period is rather vague: 3 years, but the B2B database can then be reused.

In this context, database transfer is free and the scraping of public information is authorized when you’re doing commercial prospecting. For example, you have the right to legally purchase databases or obtain emails via LinkedIn databases.

B2B customer search by e-mail

In B2B, you can carry out commercial prospecting by postal mail or commercial prospecting by e-mail.

However, there are some simple conditions to observe when prospecting:

Inform the prospect of the sources from which their data has been collected.
Inform them that this is commercial prospecting.
Give prospects the option of unsubscribing (the option of unsubscribing can take several forms: instruction, button, etc.).
You can only prospect people who are related to your activity (Example: if you sell flour, you can only target professionals who need it).

CNIL prospection commerciale et RGPD - Dipeeo

Generic email prospecting

Generic emails are not personal data as they do not contain any information about an individual.

The GDPR does not apply to generic emails. However, it is recommended to respect unsubscribe requests to preserve your reputation.

B2B prospecting by mail, telephone and SMS

Commercial canvassing by e-mail, post or telephone is possible, provided that people are able to object to this use simply and free of charge (B2B).

According to the CNIL, you have the right to carry out commercial prospecting by SMS, but people must first be informed.

B2B prospecting by mail, phone and SMS

Consent is one of the legal bases provided by the RGPD on which personal data processing can be based. The CNIL published an article on January 26, 2022 stipulating that consent for commercial prospecting must be free, specific, informed and unambiguous. This means that consumers must give their consent beforehand and actively, rather than ticking a pre-ticked box or being automatically added to a prospecting list.

In B2C, consent is mandatory for prospecting. The prospect must agree before you can process their data and send them a sales prospecting email, for example.

B2C commercial prospecting by email

Advertising by e-mail is possible provided that individuals have explicitly given their specific and informed consent before being canvassed. Individuals must be informed in advance if they wish to receive commercial offers or have their personal data used for marketing purposes.

Consent must be free, specific, informed and unambiguous. To be valid, it requires simple and free acceptance by the person concerned (for example, a dedicated checkbox that is not pre-ticked). Acceptance of general conditions of use is not sufficient. Agreement must be voluntary.

In B2C, you need the prospect’s consent to carry out commercial prospecting by e-mail.

How to create a database of prospects who have consented to be canvassed:

Buy a database of B2C prospects who have consented to be canvassed and are part of your target audience.
Build up your database through newsletter subscriptions, webinars, competitions, etc.

B2B prospecting by mail, telephone and SMS

This is entirely possible, provided that individuals have been :

previously informed of the use of their data for prospecting purposes at the time of collection; 
Able to object to this use simply and free of charge.

It is important to note that the RGPD imposes requirements for commercial prospecting, particularly for a telephone number. Companies must ensure that data has been obtained legally and used in accordance with the purposes for which it was collected.

Specificity of the phone number / SMS: you can’t prospect people registered on the Bloctel database.

Is it possible to contact a customer to sell him
another product than the one initially purchased ?

In B2C, you have the right to contact a customer to sell them another product, but under certain conditions:

If the prospect is already a customer of the company and if the prospecting concerns similar products or services provided by the same company. Put another way, you only have the right to contact a customer if the product you are selling them belongs to the same product family as the product you sold them.

Otherwise, you need to find a way to get their consent to be canvassed on that other product. That’s what B2C cross-marketing is all about.

Are there any CNIL inspections?

According to the CNIL, in 2022, three priority themes have been chosen by the CNIL College: commercial prospecting, the monitoring of teleworking workers and the use of cloud computing.

In its report for 2022, the CNIL indicated that prospecting would be its main focus this year.

  • 72% of French people say they are opposed to their personal data being stored outside the European Union.
  • 66% of French people say they can change their provider if it doesn’t comply with the RGPD according to the Ifop poll for OVH in 2021.
  • Leadjet, Dropcontact, etc. are now staking their success on RGPD compliance
  • Possibility of having a label.

So YES, there are CNIL checks on commercial prospecting practices and the CNIL has made this one of its priorities.

CNIL sanctions

The CNIL can impose administrative fines of up to 4% of worldwide annual sales.

The CNIL can also publish the sanction. This has a major impact in terms of reputation and image.

For example, this sanction was imposed on the Adtech startup Fidzup, which failed to recover and went bankrupt!

The CNIL also sanctioned the company NESTOR with a fine of 20,000 euros and publication of the sanction on their website for having sent commercial prospecting emails without having first obtained the consent of prospects and for having failed to comply with several RGPD obligations.

Where do the complaints come from?

Contrary to popular belief, the main RGPD risks don’t just come from the CNIL

The risks also come :

From your customers (in the event of complaints, specific requests, RGPD compliance audits, etc.), who can engage your liability in the event of breaches. 

From your employees, as the RGPD is now one of the main negotiating levers in the event of HR disputes.

From your partners, who can impose RGPD compliance or terminate contracts in the event of breaches. 

From your competitors, who can easily destabilize your structure by using the RGPD.

Worse still, the negative effects of RGPD non-compliance are almost invisible but nonetheless very real!

Today, 66% of French people, according to an Ifop survey, say they’re ready to give up on a digital service in the event of a breach of the RGPD.

More concretely, if the customer has the choice between you who are not compliant and your competitor who is compliant, the customer will tend to choose your competitor ! 

Are the rules the same throughout the European Union?

No. The RGPD is not the only text to regulate commercial prospecting. Each country has its own specificities. This complicates the task for companies marketing in Europe. 

For example, France is one of the most permissive European countries in terms of B2B prospecting rules. Germany and Italy, for example, do not allow B2B prospects to be contacted without consent. The methods of prospecting are therefore totally different.

For your information, commercial prospecting in France is governed by the CPCE.

2nd DPO
in France

+20 new clients
per month

3 years
of existence

1.8M euros
raised in 2024

They trust us

Client Dipeeo - L'EXPRESS a été mis en conformité par Dipeeo qui est son DPO externe
RATP Dev d'insertion a été mis en conformité par Dipeeo qui est son DPO externe