When you rub the magic lamp and are offered three wishes for your digital advertising program, how can you use those wishes to avoid €50,000,000 fines from the French CNIL?
Transparency: You need to disclose clearly the scope of personal data processing, including the purposes for which data is processed and the sources for personalized advertising. And the disclosures must be very specific, organized, and available without clicking through several links. For example, you need to tell users how long you will store their data, not just tell them how you decide whether to destroy it. A failure of transparency can be used, as by the CNIL, to justify the maximum fine.
Granular, Affirmative Consent: The legal basis will be consent, so you need a specific, unambiguous, granular, affirmative consent to each of the processing activities that you have transparently disclosed. Your page describing targeted advertising will mention each of the services and products included in each granular consent for each processing activity! And no pre-ticked boxes in consents! And if you thought that unticking the basic “I accept” box and then sending the unticked to “More Options” (in which a pre-ticked box or two may or may not reside), think again!
EU Control: Here’s a good one for the lamp: To have your lead DPA recognized as such, it has to have decision-making power over your company’s product and service development relating to the user experience and processing of personal data.