Bad Cookies: Privacy Regulator Fines Supermarket Giant$3.7 Million Fine for French Supermarket Giant Carrefour for Alleged GDPR Violations
Warning to organizations that store or process Europeans' personal information: Make privacy policies easy to understand, never place advertising cookies without consent and only retain customer data for a reasonable period of time.
Failure to meet those standards resulted in French retail giant Carrefour Group, based near Paris, being hit with a 3.1 million euros ($3.7 million) privacy fine by the country's data security and privacy regulator.
Last week, France's privacy regulator, the Commission Nationale de l'Informatique et des Libertés, or CNIL, announced that, after conducting an investigation from May to July 2019, it has issued sanctions against two Carrefour Group companies:
- Carrefour France: 2.25 million euros fine
- Carrefour Banque: 800,000 euros fine
CNIL alleges that Carrefour Group violated statutes under the EU's General Data Protection Regulation as well as French law. But the regulator said that Carrefour had made significant efforts to fix the shortcomings it identified, meaning the regulator hadn't needed to take the company to court to force it to make changes.
Carrefour grocery stores are well known throughout France, where Carrefour was the first group to open a hypermarket - a large grocery store, often located outside town or city boundaries - near Paris in 1963. Today, Carrefour counts more than 1,200 hypermarkets worldwide and more than 3,400 stores in total.
Details of Alleged Violations
In a French-language press release, CNIL accuses Carrefour of violating the following EU and French statutes:
- Right to be informed: Under GDPR Article 13, "individuals have the right to be informed about the collection and use of their personal data," per Britain's Information Commissioner's Office. "This is a key transparency requirement under the GDPR." But CNIL says information provided to users of the carrefour.fr and carrefour-banque.fr websites who wished to join the company's loyalty program or get a Carrefour credit card was not easily accessible, was too complicated and failed to specify for how long data would be retained.
- Breaches relating to cookies: Per Article 82 of the French Data Protection Act, "any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless they have been informed in advance," about how collected data will be used, as well as how they might seek to oppose that use. Unless an organization receives consent, it has no right to process the individual's personal information. But CNIL says Carrefour was automatically pushing cookies onto the systems of visitors to the carrefour.fr and carrefour-banque.fr websites before attempting to obtain consent, despite some of the cookies being used for advertising.
- Breach of data retention requirements: CNIL says that, in violation of GDPR Article 5.1.e, Carrefour France failed to respect a four-year data retention period it had set, leading to the company inappropriately retaining data for more than 28 million customers who had been inactive for five to 10 years, as well as for more than 750,000 users of the carrefour.fr website. The regulator also said that it considered "a retention period of four years for customer data after their last purchase to be excessive."
- Failure to respect rights: Under GDPR and also French law, companies must field requests from people who wish to have their personal data removed. But CNIL says Carrefour France failed to respond to multiple requests and, in some cases, failed to erase information when it should have done so. "The company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors," CNIL says.
- Breach of data subjects' rights: CNIL says that, in violation of GDPR Article 12, Carrefour France was requiring customers to prove their identity before being allowed to exercise their various rights under GDPR. "This systematic request was not justified since there was no doubt about the identity of the people exercising their rights," CNIL says. "In addition, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR."
- Breach of the obligation to process data fairly: Per Article 5 of GDPR, organizations must be transparent about how they handle data. CNIL says Carrefour Banque customers who signed up for a "pass card" - a credit card tied to their Carrefour loyalty program account - were told that the bank would only transfer their first name and email address to the program. But investigators found that "other data was transmitted, such as the postal address, the telephone number and the number of its children."
CNIL says Carrefour has taken numerous steps to address the above problems, including rapidly hiring new employees to respond to all data access requests, revamping the data-sharing notices it provides to consumers, halting the placing of cookies on systems before getting consent and overhauling its online loyalty card subscription process.
Basis for the Final Fine
CNIL notes that, had it simply fined Carrefour France, it would have had to base penalties on that relatively small unit's 2019 revenue.
But Carrefour France is part of a wider group of companies, which led the CNIL committee overseeing the final decision to look at the entity more broadly. Investigators found that "Carrefour Hypermarchés and Carrefour Proximité France companies are benefiting from the data sharing program," owing to Carrefour France's marketing department having processed the shared data of customers of those companies, including their "last name, first name, physical and electronic address, telephone number and purchase history, in order to send them personalized advertising for the products sold."
As a result, the CNIL committee opted to use as the basis for its fine the revenue of the largest Carrefour entity that benefited from the improper data practices.
The final fines, totaling 3.1 million euros, are only a fraction of what could have been imposed. Under GDPR, EU regulators can levy fines of up to 4% of an organization's annual global revenue or 20 million euros - whichever is greater - if they violate Europeans' privacy rights. Thus, Carrefour faced a fine of up to 64 million euros, with the final judgment equaling just 5% of that amount.
Carrefour has two months to appeal the fine, should it choose to do so. The company didn't immediately respond to a request for comment.