The French supervisory authority (CNIL) imposed a fine on hotel chain Accor. The cause was unlawful newsletter e-marketing.
CNIL had received complaints from guests who had booked their stay at hotels belonging to the chain. Their email addresses, after booking, were automatically added to the newsletter subscriber database – there was a default consent to receive commercial information by email under the booking form. In addition, subscribers encountered technical problems when they wanted to withdraw their consent to have their personal data processed for marketing purposes.
Under the GDPR, a controller wishing to carry out direct marketing activities must obtain valid consent from the data subject. This consent must be voluntary and given in an informed manner. In addition, an active action by the subscriber to subscribe to the database is required – consent to join the newsletter recipients’ database should, for example, consist of ticking rather than unchecking a checkbox. Controllers cannot make the assumption that all their customers want to be constantly encouraged to use their services again. CNIL also stressed that withdrawing consent should be as easy as giving it, which the hotel chain failed to do in this case.
CNIL reported that the irregularities had been rectified by the controller. However, this did not allow it to completely avoid financial liability for the violations indicated.