General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Bad Cookies: Privacy Regulator Fines Supermarket Giant

$3.7 Million Fine for French Supermarket Giant Carrefour for Alleged GDPR Violations
Bad Cookies: Privacy Regulator Fines Supermarket Giant

Warning to organizations that store or process Europeans' personal information: Make privacy policies easy to understand, never place advertising cookies without consent and only retain customer data for a reasonable period of time.

See Also: How Enterprise Browsers Enhance Security and Efficiency

Failure to meet those standards resulted in French retail giant Carrefour Group, based near Paris, being hit with a 3.1 million euros ($3.7 million) privacy fine by the country's data security and privacy regulator.

Last week, France's privacy regulator, the Commission Nationale de l'Informatique et des Libertés, or CNIL, announced that, after conducting an investigation from May to July 2019, it has issued sanctions against two Carrefour Group companies:

  • Carrefour France: 2.25 million euros fine
  • Carrefour Banque: 800,000 euros fine

CNIL alleges that Carrefour Group violated statutes under the EU's General Data Protection Regulation as well as French law. But the regulator said that Carrefour had made significant efforts to fix the shortcomings it identified, meaning the regulator hadn't needed to take the company to court to force it to make changes.

Carrefour grocery stores are well known throughout France, where Carrefour was the first group to open a hypermarket - a large grocery store, often located outside town or city boundaries - near Paris in 1963. Today, Carrefour counts more than 1,200 hypermarkets worldwide and more than 3,400 stores in total.

Details of Alleged Violations

In a French-language press release, CNIL accuses Carrefour of violating the following EU and French statutes:

  • Right to be informed: Under GDPR Article 13, "individuals have the right to be informed about the collection and use of their personal data," per Britain's Information Commissioner's Office. "This is a key transparency requirement under the GDPR." But CNIL says information provided to users of the and websites who wished to join the company's loyalty program or get a Carrefour credit card was not easily accessible, was too complicated and failed to specify for how long data would be retained.
  • Breaches relating to cookies: Per Article 82 of the French Data Protection Act, "any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless they have been informed in advance," about how collected data will be used, as well as how they might seek to oppose that use. Unless an organization receives consent, it has no right to process the individual's personal information. But CNIL says Carrefour was automatically pushing cookies onto the systems of visitors to the and websites before attempting to obtain consent, despite some of the cookies being used for advertising.
  • Breach of data retention requirements: CNIL says that, in violation of GDPR Article 5.1.e, Carrefour France failed to respect a four-year data retention period it had set, leading to the company inappropriately retaining data for more than 28 million customers who had been inactive for five to 10 years, as well as for more than 750,000 users of the website. The regulator also said that it considered "a retention period of four years for customer data after their last purchase to be excessive."
  • Failure to respect rights: Under GDPR and also French law, companies must field requests from people who wish to have their personal data removed. But CNIL says Carrefour France failed to respond to multiple requests and, in some cases, failed to erase information when it should have done so. "The company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors," CNIL says.
  • Breach of data subjects' rights: CNIL says that, in violation of GDPR Article 12, Carrefour France was requiring customers to prove their identity before being allowed to exercise their various rights under GDPR. "This systematic request was not justified since there was no doubt about the identity of the people exercising their rights," CNIL says. "In addition, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR."
  • Breach of the obligation to process data fairly: Per Article 5 of GDPR, organizations must be transparent about how they handle data. CNIL says Carrefour Banque customers who signed up for a "pass card" - a credit card tied to their Carrefour loyalty program account - were told that the bank would only transfer their first name and email address to the program. But investigators found that "other data was transmitted, such as the postal address, the telephone number and the number of its children."

CNIL says Carrefour has taken numerous steps to address the above problems, including rapidly hiring new employees to respond to all data access requests, revamping the data-sharing notices it provides to consumers, halting the placing of cookies on systems before getting consent and overhauling its online loyalty card subscription process.

Basis for the Final Fine

CNIL notes that, had it simply fined Carrefour France, it would have had to base penalties on that relatively small unit's 2019 revenue.

But Carrefour France is part of a wider group of companies, which led the CNIL committee overseeing the final decision to look at the entity more broadly. Investigators found that "Carrefour Hypermarchés and Carrefour Proximité France companies are benefiting from the data sharing program," owing to Carrefour France's marketing department having processed the shared data of customers of those companies, including their "last name, first name, physical and electronic address, telephone number and purchase history, in order to send them personalized advertising for the products sold."

As a result, the CNIL committee opted to use as the basis for its fine the revenue of the largest Carrefour entity that benefited from the improper data practices.

The final fines, totaling 3.1 million euros, are only a fraction of what could have been imposed. Under GDPR, EU regulators can levy fines of up to 4% of an organization's annual global revenue or 20 million euros - whichever is greater - if they violate Europeans' privacy rights. Thus, Carrefour faced a fine of up to 64 million euros, with the final judgment equaling just 5% of that amount.

Carrefour has two months to appeal the fine, should it choose to do so. The company didn't immediately respond to a request for comment.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.