In addition to the not-insignificant €2.25 million fine, CNIL's enforcement action against Carrefour France raises some universal points for companies handling data, both in the EU and in the U.S.
Big Picture Takeaways:
Retention (With the retention limitation in the recently passed California Privacy Rights Act (CPRA), which takes effect in 2023, this is starting to be important for companies doing business in California as well)
- A retention period of four years for inactive loyalty program customers can be too much.
- Three years could be used as a rule of thumb but may still be excessive for loyalty programs. If used as a uniform retention period across different types of customers, it can be reasonable.
- If you set a retention term, make sure your systems are able to support it and effectuate the deletion in time.
Verification (In addition to the General Data Protection Regulation, this is in both the California Consumer Privacy Act and CPRA)
- To verify the identity of an individual making a request, only ask for identifying documents when there is a doubt as to the identity.
- When asking for identification, be sure to delete it upon verification and not retain.
- Make the relevant structural and organizational changes necessary to deal with an influx of individual requests.
- Information must be presented in a way that is easily accessible and understood. Multiple pages and links and redundant information make this difficult.
- Putting the privacy disclosure and terms of the loyalty program as sections in the middle of the general terms makes it not easy to access.
- Privacy information should be grouped together in a single document separate from the general conditions of use.
- When providing information in a layered structure, it is important not only for the second level of information to detail all the information relating to the processing but also that the first level of information presents the essential characteristics. This includes: the details of the purpose of the processing, the identity of the controller and a description of the rights of the data subjects
- To the greatest extent possible use simple vocabulary, short sentences and a direct style, but also avoid legal or technical terms, abstract or ambiguous terms and formulas.
- Use clear, unambiguous and precise language. Avoid expressions such as: "one or more," "may be," "possibly" or "in certain cases," and "may be processed for one or more of the following reasons."
- When presenting information use some sort of organization and hierarchy to make it easy for the user to understand. Stay away from a long list covering the points in the law.
- Don't forget to include: legal basis, the length of time the data will be retained and the countries to which the data will be transferred.
- When referring to legal basis you must state the basis that corresponds with each of the processing operations carried out. It is not enough to have a sole reference made to the existing legal bases that apply to several processing operations.
Right to Delete
- If, after a request for erasure, certain personal data of customers can be kept, under legal obligations or for evidentiary purposes or when the company has an overriding legitimate reason, personal data not necessary for the fulfillment of these other obligations or purposes must be deleted after the exercise of this right as soon as the conditions laid down by Article 17 of the GDPR are met.
- If you consider that, and a request for erasure is too broad and cannot be granted on the basis of an overriding legitimate interest or because the erasure was not possible on the basis of Article 17 of the GDPR, you must contact the person concerned.
- You cannot require logging into a customer account as a condition to unsubscribing from a newsletter/email.
- You should require prior authorization in order to display invoices containing personal information rather than having them be available on a fixed URL accessible by anyone who has it. Adding a random character string is not sufficient, by itself, to prevent undue access to the personal data of third parties. This measure reduces the risk but does not eliminate it, access remains possible.
- If log in credentials (email/password) were accessed, even if there is no evidence that it was accessed, this is a reportable data breach.
- Many people use the same credentials and this poses a risk to them and could be subject to a credential stuffing attack.
- In addition, with more information about them accessible to the perpetrators, they are more at risk for identity theft.