Explicit General Data Protection Regulation (GDPR) guidance on the subject of web scraping for purposes of direct marketing has finally been laid out to the public following the publication of a set of guidelines by France’s data watchdog, the CNIL.
According to the new recommendations, published on April 20, publicly available contact information belonging to individual people that is gathered online by companies with the intention of selling it on to third-parties for direct marketing purposes (a process known as ‘web scraping’ or ‘data extraction’), should be regarded as still being personal data, even if the data is publicly available.
However, the CNIL’s guidance falls short of imposing any new rules to this end, instead merely serving to clarify existing GDPR rules and to recommend certain actions to businesses on the basis of web scraping for purposes of direct marketing.
However, the CNIL did emphasize that it will pay particularly close attention to how the guidance is observed by French citizens, appending to their statement that the watchdog will “remain vigilant on this concern of the daily life of the French and concerning the respect of their rights.”
The blurry boundaries of web scraping
The new guidance follows on the heels of a series of inspections carried out by the CNIL last year in order to determine whether the relevant privacy laws in France, namely the EU’s GDPR and French Data Protection Act, are respected.
The inspections revealed that a number of companies actively use web scraping software to automatically collect web users’ data from online public spaces and to carry it forward for use in direct marketing campaigns.
According to a blog post by US law firm Hunton Andrews Kurth detailing the impact of the guidelines, the CNIL’s inspections went even further, revealing that several violations of the GDPR and the French Data Protection Act had occurred. These included insufficient notification being provided to affected individuals, as well as an all-round lack of consent for the sending of electronic direct marketing communications, such as emails and calls.
As a result of these findings, the CNIL decided to take action, and drafted the newly released guidelines in order to make sure that businesses and other data controllers were aware of the best practices with regards to data scraping for use in direct marketing campaigns.
In essence, the CNIL urged that the contact details of individuals published in online public spaces are still personal data, despite the fact that it is publicly accessible. Therefore, the CNIL ruled, companies are not entitled simply to reuse the data and are effectively forced to process it for direct marketing purposes only with the user’s permission.
To ensure clarity to this end, the CNIL pressed businesses to pay careful attention to the following five steps, should they opt to make use of web scraping technology:
To verify the nature and origin any data they scrape, keeping in mind that some websites prohibit the practice while others do not.
To minimize data collection, especially pertaining to sensitive information such as health data, religion, and sexual orientation, among others.
To ensure that the data subject (the person whose data is being scraped) in question is make aware of the goings-on, in accordance with Article 14 of the GDPR.
To ensure that the web scraping service provider is also on board with the new guidelines and that a proper data processing agreement is kept in place between the two parties in accordance with Article 28 of the GDPR.
To carry out a Data Protection Impact Assessment (DPIA) if necessary, in line with existing GDPR guidelines on the matter. Even if a DPIA is not required, the CNIL recommends that it is carried out anyway.
The CNIL doubled down on the fact that they will go to extra lengths to ensure that companies adhere to the new guidelines, particularly in France, where the body holds jurisdiction.
Impact on direct marketing
Seeing that the CNIL frequently reviews complaints concerning business web scraping for direct marketing purposes, the new guidance comes as a welcomed step for privacy advocates across the globe, especially in light of the GDPR’s monumental influence.
By clarifying best practice, the guidance has the potential to have a positive impact on the types of people who are concerned by ads displayed on consumer-to-consumer websites or in online directories, to name only two examples.
However, it is worth remaining cognizant of the fact that, while a positive step, the CNIL’s guidance remains what it is designed to be—recommendation on the basis of existing legislation. Accordingly, unless business widely adheres to the new guidelines or until the guidelines gain the full weight of the law behind them, web scraping tools will likely continue to be misused—by the CNIL’s definition of the word—by a large number of organization across the EU and the globe.