A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:

  • make sure information you provide users is easily accessible
  • tell people why you process their information, for how long you keep it and the categories of it
  • put the information in one or limited locations
  • refrain from requiring multiple actions to access the necessary information
  • describe your purposes specifically, and clearly.

Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:

  1. Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
  2. Require action by the user to signify consent ( no pre-checked checkboxes).
  3. Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.

Details from CNIL.

More here from Law360.