A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:
- make sure information you provide users is easily accessible
- tell people why you process their information, for how long you keep it and the categories of it
- put the information in one or limited locations
- refrain from requiring multiple actions to access the necessary information
- describe your purposes specifically, and clearly.
Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:
- Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
- Require action by the user to signify consent ( no pre-checked checkboxes).
- Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.