Commercial prospecting is one of the CNIL’s priorities.
Here you’ll find the rules you need to follow to prospect effectively and safely.
To carry out commercial prospecting, you must, according to the CNIL (Commission Nationale de l’Informatique et des Libertés), comply with the RGPD to protect citizens on the territory of the European Union and strengthen control over the use of their personal data!
the CNIL (Commission Nationale de l’Informatique et des Libertés) acts simply and free of charge to protect consumers’ rights. This includes automated calling, also known as automatic calling machines, commercial prospecting by e-mail and all other forms of prospecting.
When prospecting, you must comply with certain information rules, particularly on your website or e-commerce site.
The most important general principle of the RGPD is informing people. You must inform customers and prospects – Publish :
The purpose of the privacy policy is to inform individuals about the processing of their personal data. It must clearly explain :
In the case of the cookies policy, it is essential to specify the purpose of the cookies on the site, the categories of cookies used, etc.
It’s also important to set up information banners on your forms, registration, newsletter or contact page. They should mention that the data entered will be processed. A link to the privacy policy is also required.
On the other hand, there’s no need to add a checkbox. By taking this action, visitors indicate their interest and can be contacted. This only applies to B2B, as prior consent is mandatory for B2C. All prospects must give their consent to receive commercial prospecting offers.
You must never forget to allow your prospects to unsubscribe. The company must inform consumers of their right to object to this use at any time, simply and free of charge.
This can be done at the time of data collection, during prospecting communications or by contacting the company directly, otherwise it may lead to an aggressive exchange or you may end up with spam. Every prospect must have the right to object, and this right must be respected.
Prospects should also be informed of the sources from which their data is collected at the end of each email sent to a prospect.
In general, the CNIL encourages companies to respect the principles of transparency and respect for consumers’ choices, giving them the power to object to the use of their data for commercial prospecting purposes.
What to do with your prospects or customers who have opted out?
You should never delete these databases entirely, but transfer them to an “unsubscribed” database, otherwise you’ll have no trace of the Opt out or you’ll potentially prospect these people again.
Be careful, however, to retain only the minimum information needed to identify the prospect, and not all the personal data you had in your possession.
Another general principle of the RGPD is to control your technical service providers. You must control your technical service providers who process personal data on your behalf!
Work with RGPD-compliant service providers.
There are different types of subcontractors. It’s mandatory to check them for RGPD compliance. It is also necessary to check whether or not the provider is located within the EU (e.g. USA) as, by default, the transfer of personal data outside the EU is prohibited. The use of tools such as Crisp or Calendly, which are in the USA, requires a prior contract.
Alternatives to Google Analytics 3, which was banned in early 2022:
Very complicated and very risky: you can make developments with Google Analytics 3 So that the IP address is not displayed.
Google Analytics 4 is the solution proposed by Google to solve this problem.
Alternatives proposed by the CNIL: Matomo, …
Be a compliant processor yourself
If you are a subcontractor in the sense of the RGPD, i.e. you process personal data on behalf of your customers (company, association…), it is necessary to include the DPA (Data Protection Agreement) in the GTCS.
Your customers will audit you frequently to check that you are RGPD compliant.
In B2B as in B2C, data may be kept for 3 years from the last interaction with the prospect or customer for commercial prospecting purposes.However, concerning personal customer data, you can keep them until the end of your service.
There’s a widely-held misconception about the need for prior consent in B2B for commercial prospecting purposes. It’s not true! There’s no need for Opt in and the limit concerning the retention period is rather vague: 3 years, but the B2B database can then be reused.
In this context, database transfer is free and the scraping of public information is authorized when you’re doing commercial prospecting. For example, you have the right to legally purchase databases or obtain emails via LinkedIn databases.
In B2B, you can carry out commercial prospecting by postal mail or commercial prospecting by e-mail.
However, there are some simple conditions to observe when prospecting:
Inform the prospect of the sources from which their data has been collected.
Inform them that this is commercial prospecting.
Give prospects the option of unsubscribing (the option of unsubscribing can take several forms: instruction, button, etc.).
You can only prospect people who are related to your activity (Example: if you sell flour, you can only target professionals who need it).
Generic emails are not personal data as they do not contain any information about an individual.
The GDPR does not apply to generic emails. However, it is recommended to respect unsubscribe requests to preserve your reputation.
Commercial canvassing by e-mail, post or telephone is possible, provided that people are able to object to this use simply and free of charge (B2B).
According to the CNIL, you have the right to carry out commercial prospecting by SMS, but people must first be informed.
Consent is one of the legal bases provided by the RGPD on which personal data processing can be based. The CNIL published an article on January 26, 2022 stipulating that consent for commercial prospecting must be free, specific, informed and unambiguous. This means that consumers must give their consent beforehand and actively, rather than ticking a pre-ticked box or being automatically added to a prospecting list.
In B2C, consent is mandatory for prospecting. The prospect must agree before you can process their data and send them a sales prospecting email, for example.
Advertising by e-mail is possible provided that individuals have explicitly given their specific and informed consent before being canvassed. Individuals must be informed in advance if they wish to receive commercial offers or have their personal data used for marketing purposes.
Consent must be free, specific, informed and unambiguous. To be valid, it requires simple and free acceptance by the person concerned (for example, a dedicated checkbox that is not pre-ticked). Acceptance of general conditions of use is not sufficient. Agreement must be voluntary.
In B2C, you need the prospect’s consent to carry out commercial prospecting by e-mail.
How to create a database of prospects who have consented to be canvassed:
Buy a database of B2C prospects who have consented to be canvassed and are part of your target audience.
Build up your database through newsletter subscriptions, webinars, competitions, etc.
This is entirely possible, provided that individuals have been :
previously informed of the use of their data for prospecting purposes at the time of collection;
Able to object to this use simply and free of charge.
It is important to note that the RGPD imposes requirements for commercial prospecting, particularly for a telephone number. Companies must ensure that data has been obtained legally and used in accordance with the purposes for which it was collected.
Specificity of the phone number / SMS: you can’t prospect people registered on the Bloctel database.
In B2C, you have the right to contact a customer to sell them another product, but under certain conditions:
If the prospect is already a customer of the company and if the prospecting concerns similar products or services provided by the same company. Put another way, you only have the right to contact a customer if the product you are selling them belongs to the same product family as the product you sold them.
Otherwise, you need to find a way to get their consent to be canvassed on that other product. That’s what B2C cross-marketing is all about.
According to the CNIL, in 2022, three priority themes have been chosen by the CNIL College: commercial prospecting, the monitoring of teleworking workers and the use of cloud computing.
In its report for 2022, the CNIL indicated that prospecting would be its main focus this year.
So YES, there are CNIL checks on commercial prospecting practices and the CNIL has made this one of its priorities.
The CNIL can impose administrative fines of up to 4% of worldwide annual sales.
The CNIL can also publish the sanction. This has a major impact in terms of reputation and image.
For example, this sanction was imposed on the Adtech startup Fidzup, which failed to recover and went bankrupt!
The CNIL also sanctioned the company NESTOR with a fine of 20,000 euros and publication of the sanction on their website for having sent commercial prospecting emails without having first obtained the consent of prospects and for having failed to comply with several RGPD obligations.
Contrary to popular belief, the main RGPD risks don’t just come from the CNIL
The risks also come :
From your customers (in the event of complaints, specific requests, RGPD compliance audits, etc.), who can engage your liability in the event of breaches.
From your employees, as the RGPD is now one of the main negotiating levers in the event of HR disputes.
From your partners, who can impose RGPD compliance or terminate contracts in the event of breaches.
From your competitors, who can easily destabilize your structure by using the RGPD.
Worse still, the negative effects of RGPD non-compliance are almost invisible but nonetheless very real!
Today, 66% of French people, according to an Ifop survey, say they’re ready to give up on a digital service in the event of a breach of the RGPD.
More concretely, if the customer has the choice between you who are not compliant and your competitor who is compliant, the customer will tend to choose your competitor !
No. The RGPD is not the only text to regulate commercial prospecting. Each country has its own specificities. This complicates the task for companies marketing in Europe.
For example, France is one of the most permissive European countries in terms of B2B prospecting rules. Germany and Italy, for example, do not allow B2B prospects to be contacted without consent. The methods of prospecting are therefore totally different.
For your information, commercial prospecting in France is governed by the CPCE.
01 59 06 81 85
contact@dipeeo.com
4 boulevard de Montmartre –
75009 Paris
Pour vous contacter, nous devons traiter vos données.
Pour plus d’infos, consultez notre Politique de confidentialité.