September 2016

French Government Updates Direct Marketing Requirements

The French government recently updated norme simplifiée n° NS-048. The changes introduce a national do not call list, as well as updated requirements for payment card data and cookies.

Highlights of the law include:

  • Enumerates valid purposes for processing (includes marketing)
  • Describes information that can be collected and used
  • Describes who may collect and use the information
  • Provides retention periods for data:
    • Consent to use data or contact consumers expires after three years of inactivity. An entity must reobtain consent to continue to use data for marketing purposes. If consent is not obtained, data must be destroyed or anonymized.
    • Payment Card data must be deleted 15 months after a purchase, unless the consumer gives express consent to save the data. Expired payment card data must be deleted.
    • Cookies or similar technologies used to track or identify consumers must be deleted after 13 months
  • Clarifies marketing consent
    • Contact via SMS, MMS, Robocall, Fax, Email, Push Notification, Bluetooth require express (opt-in) consent.
      • Limited exception for email, where the “Soft Opt-In” can apply
    • Prior consent is not required for manual dialed calls, postal marketing, or B2B marketing. However consumers can opt-out at any time
      • Exception for B2B marketing to generic addresses
    • Consumers can opt-out of any marketing at any time
      • Phone numbers can soon be registered on the national Do Not Call list
  • Adds cookie requirements
    • Operational/Performance analytics cookies can be used without prior consent. However, consumers must be notified of use and given an opportunity to opt-out.
      • Retention requirements listed above apply to these cookies
    • All other tracking/advertising cookies require prior consent (max lifetime of 13 months)
  • Reiterates the importance of safeguarding data
  • Reiterates requirements for international transfers of data

Companies have 12 months to come into compliance with the new requirements, that will be enforced by the CNIL.
jbho: the CNIL also released updated guidance in line with the new law:

As a reminder, the “Soft Opt-In” is recognized in several EU jurisdictions – usually limited to email. A “Soft Opt-In” is where the following conditions are met:
• Personal information is collected in conjunction with a sale/inquiry
• No ‘sensitive information’ is used
• Marketing is restricted to similar products/services (i.e., 1st party marketing)
• Individuals have an opportunity to decline to be contacted when first collecting contact details, and offered an opt-out in every message sent
Note that a pre-checked tick box, in and of itself, does not constitute a “Soft Opt-In.” All the above conditions must be met.

Leave a Reply