Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
The Trust in Digital Economy Act 2004 provides that any commercial prospecting by means of telephone, fax or electronic communication is prohibited without the prior agreement of the data subject. Such prospecting must always indicate the address of the prospector and offer the possibility to unsubscribe from the communications. The French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), controls the application of these rules and can issue fines for unsolicited electronic marketing of up to €3,000 for a natural person and €15,000 for a legal entity.
The EU General Data Protection Regulation (GDPR) has implemented rules for cases in which an individual is associated with online identifiers provided by their devices and applications, including internet protocol addresses, cookie identifiers or other identifiers (eg, radio frequency identification tags). These processes may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of and identify natural persons.
Restrictions on decisions based solely on automated processing (which may include profiling) apply if the decision has legal repercussions or otherwise significantly affects the data subject. Using the example of online credit decisions and e-recruiting, Recital 71 clarifies that the objectionable element is the lack of human intervention and that individuals have the right not to be subject to such decisions. This could either be interpreted as a prohibition on such processing or a stipulation that the processing may take place but that individuals may object to it. This ambiguity is present in the GDPR and EU member states differ in their approaches. Such significant automated processing can be used if it:
- is necessary to enter into or perform a contract between a data subject and controller;
- has been authorised by union or member state law; or
- has the individual’s explicit consent.
- the storage of cookies on their computers;
- the possibility of managing cookie settings or refusing their use; and
According to the CNIL, cookies can remain active for a maximum of 13 months.
Click here to view the full article.