Massive GDPR fine for not verifying user’s consent
This June, the CNIL, France’s Data Protection Authority sanctioned CRITEO, a company that specializes in targeted advertising with a fine of 40 million EUR. The company’s goal is to gather cookies and use them to identify the most suitable advertiser and product to display advertisements to specific users.
After conducting investigations, the French Authority found multiple deficiencies related to insufficient evidence of individuals’ consent for the processing of their data. These shortcomings led to the compromise of personal data for nearly 370 million users.
Other European Supervisory Authorities were approached and they jointly agreed that the company’s actions to not ask for consent when collecting data, to not include all of the purposes pursued by the processing of data in the privacy policy, failing to respect the right of access, the right to withdraw consent and the right of erasure of a user’s data were deemed as being in breach of the GDPR.
Spotify struggles with right of access
Spotify, one of the industry’s biggest music streaming platforms was hit with a 4.9 million EUR fine, issued by the Swedish Privacy Authority (IMY).
IMY has reviewed how Spotify handles customers’ right to access their personal data. The deficiencies that have been discovered caused IMY to issue a sanction fee of 58 million SEM against the company.
While the company has respected the right of access to data, there appears to be an issue with adequately informing users about how their data was used. In essence, although the data can be accessed by user requests, the extent and purposes of its handling should be presented in a more specific manner. Therefore, despite the information being divided into different layers and accessible in various languages, the Authority concluded that it should not only be explained in each individual’s language but should also provide clearer details to ensure that users fully comprehend what they are requesting.
