SMS for electoral prospecting: is it legal under GDPR ?

Many French people received electoral prospecting SMS messages, during the election period. In this article, Dipeeo deciphers for you, the legality of this practice according to the GDPR (General Data Protection Regulation.)

Background

The early parliamentary elections in June 2024 have created a situation of urgency for candidates, prompting them to employ a variety of techniques to encourage voters to the polls and promote their political parties. During the 4-week election campaign, many French people received SMS messages from certain political parties.

The messages sent by the political parties are intended to be short and to the point:

Most of them were sent by Selfcontact, a company that claims to have an opt-in database of 29 million telephone numbers, collected through partnerships with companies.

These mass mailings sometimes caused annoyance among recipients, who questioned the legality of using their telephone numbers and the origin of the data. 

Dipeeo decryption

Electoral prospecting and BtoC commercial prospecting: the rules are the same. 

Database creation and use: consent is mandatory

The use of databases by political parties during elections is strictly regulated. 

Like BtoC companies that engage in commercial prospecting, to be GDPR and send SMS campaigns legally, political parties must collect voter consent and be able to prove it. 

The vast majority of political parties use service providers who supply databases to target potential voters. 

However, relying on a service provider does not in any way guarantee the legality of the database creation. 

It is the political party's responsibility to monitor its service provider to ensure that all persons in the database used for electioneering purposes have given their free, specific, informed, and unambiguous consent.

How is consent obtained?

For consent to be legal under GDPR, certain information must be provided when consent is collected: 

• Information on the Purpose data collection: A clear explanation of why the data is being collected.
• A checkbox: to obtain users' explicit consent (it is forbidden to pre-check a box). 
• A link to our privacy policy: For more details on how we use data.
• Specific consent must be obtained for each type of communication (SMS, e-mail, etc). 

For example: 

"By checking this box, I agree that the political party X may use my data for electoral canvassing purposes by SMS. For more information, please see our privacy policy: [privacy policy link]."

By checking this box, I agree that my data may be used for communication purposes and may be shared with our partners. For further details, please consult our privacy policy.

How long can they send me communications?

When you consent to the use of your personal data, the company or organization may retain and use your data for 3 years. After that, and without any further information from you, your data must be destroyed or anonymized. 

Do I have the right to change my mind?

Of course! For each communication, a means of unsubscribing must be proposed. For example, an unsubscribe link or an SMS sent to a telephone number.

Once you have opted out, the company or organization no longer has the right to send you any communications. 

So... are these campaigns really legal?

In theory, yes, but in practice, within the framework of these early legislative elections, GDPR compliance is being strongly questioned, particularly regarding the respect for individuals' informed consent (opt-in).

Respecting people's rights: essential

Personal rights under the GDPR (General Data Protection Regulation) primarily serve to protect your fundamental rights and freedoms with regard to the processing of your personal data. 

• Right to access and copy personal data: Request information on all processing of your personal data.
• Right to deletion/Right to be forgotten: Request the deletion of your personal data if it is no longer required for the purposes for which it was collected, or if consent is withdrawn.

I have not consented to receive this type of message, what should I do?

To exercise these rights, you can contact the DPO (Data Protection Officer) of the political party concerned. You'll find this address in the party's privacy policy, normally available on the party's website.

Subject: Request for access and deletion of my personal data

"Hello,

I received two SMS messages from X on X June 2024 at XhXX and on X July 2024 at XXhXX on my personal number X (screenshot attached). I would like clarification on the following points:

• Data source: Can you tell me where and how you obtained my personal data?
• Nature of data: What information do you have about me?
• Consent: Can you provide proof of my explicit consent to receive this type of message?

Furthermore, I request that you proceed with the complete deletion of all my personal data that you hold in your systems. Please confirm the receipt of this message and provide me with a response within the one-month timeframe, in accordance with the applicable regulations.

Sincerely,"

If no response is received, a complaint can be lodged with the CNIL.

The political parties concerned risk penalties of up to 20 million euros or 4% of their annual global turnover.

Good to know:

• A political opinion is sensitive data, requiring enhanced protection.
• Protecting this data is crucial to preventing discrimination, privacy breaches, manipulation, and intimidation, as well as ensuring personal safety.
• The GDPR imposes strict rules on the collection, processing, and data retention of sensitive data.
• Political parties are required to appoint a DPO (Data Protection Officer) to the CNIL to handle this type of data.
• In France, SMS messages can be sent from 8am to 8pm, with the exception of Sundays and public holidays, in accordance with Article L. 121-34 of the French Consumer Code.