Data brokers: TAGADAMEDIA fined €75,000

Information background

As part of its priority topic of investigation on commercial prospecting in 2022, the CNIL focused on the practices of professionals in the sector, in particular those who resell data, including many intermediaries in this ecosystem, known as data brokers.

On this occasion, the CNIL decided to initiate investigations into TAGADAMEDIA, which mainly operates online competition sites and product testing websites, through which it collects data from prospects.

On the basis of the findings made during the investigations, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with several of its obligations under the General Data Protection Regulation (GDPR). It imposed a €75,000 fine on TAGADAMEDIA, which was made public. It also ordered the company to implement a data collection form that complies with the requirements of the GDPR within one month, subject to a fine of 1,000 euros per day overdue.

The amount of this fine, which represents approximately 1.6% of the company's turnover, was decided in the light of the breaches identified, the company's cooperation and the measures it took during the procedure to remedy some of the breaches of which it was accused.

Breaches sanctioned

Failure to comply with the obligation to have a legal basis for processing data (Article 6 of the GDPR)

TAGADAMEDIA collects data from prospects through forms it offers on its websites to participate in competitions or product testing. This data is then sent to the company's partners for commercial prospecting. Although the company claims to collect consent for its data processing, the forms used do not allow consent to be collected in compliance with the requirements of the GDPR.

During the investigations, the company provided the CNIL with two examples of forms for collecting data from prospective customers, such as those shown below. However, the presentation of these forms did not allow free, informed and unambiguous consent to be obtained. In fact, the highlighting of the button allowing users to give their consent in contrast to that of the button allowing users not to give their consent, or the incomplete text and reduced size, strongly encouraged users to agree to the transmission of their data to partners.

The company submitted the CNIL a new form during the sanction procedure, corresponding to the example below. The consent obtained via this new form still did not allow to obtain a valid consent, thereby depriving the processing operation of any legal basis.

Failure to comply with the obligation to implement a record of processing activities (Article 30 of the GDPR)

The verifications carried out by the CNIL also revealed a breach relating to the implementation of the record of processing activities, which was retained in the penalty decision.

TAGADAMEDIA's record of processing activities, which is shared with a second company, did not specify which of the two companies was acting as data controller.