A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:
-
make sure information you provide users is easily accessible
-
tell people why you process their information, for how long you keep it and the categories of it
-
put the information in one or limited locations
-
refrain from requiring multiple actions to access the necessary information
-
describe your purposes specifically, and clearly.
Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:
-
Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
-
Require action by the user to signify consent ( no pre-checked checkboxes).
-
Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.
Details from CNIL.
[View source.]