The French Data Protection Authority (CNIL) issued on 28 July 2020 a fine of €250,000 against Spartoo, a French company which specializes in selling shoes online. The decision offers rich insights into the failures of a data controller to fulfil the GDPR requirements concerning data minimization, data retention, privacy notices, and security of processing.
The decision by CNIL is especially useful for its nuanced analysis of the data controller’s practices which do not amount to blatant disregard of data protection law. Spartoo appears to have been, for the most part, inattentive, as in relation to the scope of audio recordings, the determination of the retention period, the inclusion of legally required elements into a privacy notice, and the failure to instruct customers to scan bank cards in a privacy-protective manner. The high fine which, in the final outcome, Spartoo received, is a warning to data controllers and processors that half-steps toward compliance are not a shield from liability.
Spartoo does business in several EU and non-EU countries, where it processes personal data of three categories of data subjects: customers, prospective customers, and employees.
The company operates eighteen websites, most of these in different EU member states. Site visitors use their email addresses and passwords to create accounts through which they can place orders. Spartoo also records phone conversations between its employees and customers for the purpose of employee training. In order to fight fraud, Spartoo sometimes requests from customers to submit scans of their bank cards.
In 2018, CNIL investigated Spartoo’s activities, and in 2019, determined in a report that it was not GDPR compliant in many aspects. During proceedings, Spartoo cooperated with CNIL and implemented measures in order to improve its data processing practices.
With regard to each type of the main processing activities, concerning phone conversations, customer accounts, and bank accounts, Spartoo acted in breach of one or more GDPR principles, or of specific GDPR requirements concerning privacy notices and security of processing.
- Phone conversations
CNIL determined that recording phone conversations between the employees and customers was excessive in relation to the purpose of the processing – employee training.
During the investigation, CNIL determined that all conversations between the employees and customers were being recorded. But Spartoo staff responsible for employee training generally listened only one recording a week. Spartoo argued that it might have to increase the number of recordings it listens to “according to its needs”. CNIL rejected that argument and found that the company acted in breach of the data minimization principle.
In addition, customers sometimes placed their orders by phone, as an exception to the usual method of ordering through a web account. During the phone conversations, customers were asked to disclose their bank details. Spartoo did not take measures to prevent the oral information about bank details from being recorded. Such recording too, CNIL found, was unnecessary with regard to employee training as the purpose of the processing.
Spartoo also failed to provide relevant information to customers and employees, as the two distinct categories of data subjects. Customers did not receive information about the transfer of data to Madagascar and about all of the legal bases applicable to the processing. Privacy notices to employees did not contain information relating to the purposes pursued by the processing, the legal basis of the processing, the recipients of the data, the retention period, employees’ rights including the right of access to data concerning them, as well as the possibility of lodging a complaint with the CNIL. Also, new employees were not informed about the processing at all.
2. Accounts with Spartoo
In 2018, Spartoo had no defined retention periods for customers’ and prospective customers’ data concerning their accounts with Spartoo. A year later, in 2019, the company set a retention period of five years, starting from the date of customers’ or prospective customers’ last activity in the online interaction with the company. Spartoo kept personal data of millions of customers who have not logged in to their accounts in years. CNIL criticized these practices on several grounds. According to the decision,
- applying the five-year retention period not only to customers’, but also to prospective customers’ data, was not appropriate. Spartoo argued that such a long retention period was justified by the fact that prospective customers sometimes logged into their account after a period of, for example, four years of inactivity, and that Spartoo needed the data in order to send them promotional messages. However, CNIL found that, in actuality, prospective customers only received promotional messages for a period of two years after their last online interaction with Spartoo. CNIL concluded that a two-year period would satisfy Spartoo’s legitimate interest to promote its products.
- starting point of the retention period (“last activity”) applied to prospective customers’ data was inadequate. CNIL noted that Spartoo considered opening of a promotional email by a prospective customer as an “activity” from which the five-year retention period started to count. This would mean that each time a person opens an email – even by mistake, for example – the retention period would restart. CNIL criticized this practice, explaining that only if a person demonstrated interest in a product it could be considered an “activity”. Simply opening an email did not reach the threshold ; clicking on a hyperlink contained in the email, would.
- keeping customers’ data in pseudonymized form even after the expiry of retention period is excessive. According to the decision, Spartoo did not delete all customers’ personal data after the expiry of the five-year retention period. The company kept customers’ emails and passwords indefinitely in hashed form. Spartoo argued that by using the hash function it made the data anonymous. According to Spartoo, the hashing was performed with the use of a SHA-256 algorithm – a secure and advanced algorithm which makes the hashed data undecryptable. Spartoo explained that, by keeping email and password data in hashed form, the company wanted to enable customers to log in to their accounts using the existing credentials. CNIL, however, did not accept this: even though the SHA-256 algorithm is, indeed, considered very secure, this does not mean that the algorithm enables anonymization of data. Therefore, all data should be permanently erased after the expiry of the retention period.
Spartoo did not implement appropriate technical and organisational measures to ensure security of the processing. CNIL determined that Spartoo allowed users to create passwords for their accounts consisting of only six characters, and only one category of characters. Spartoo, on the other hand, claimed that short and simple passwords are actually less predictable than the more complex ones. Spartoo challenged the substance of CNIL’s recommendation from 2017 (decision n°2017-190), which was in return built upon the fundamental CNIL document concerning passwords, decision n° 2017-012 of 19 January 2017. CNIL’s documents state that websites should require users to create strong passwords, but Spartoo invoked the authority of cyber-security experts who contested CNIL’s approach and argued that excessive complexity leads to standardization of passwords and makes them vulnerable. CNIL did not accept this argument and noted that long and complex passwords were, indeed, more resistant to attacks.
3. Bank cards
Spartoo did not implement appropriate technical and organisational measures to ensure security of processing. For the purpose of fighting against fraud, the company had the practice of sending emails to their customers in certain countries with requests that such customers send back, by email, their scanned bank cards. In particular, Spartoo sent emails to the French customers instructing them to scan their bank cards showing “at least the first 4 and the last 4 [digits], the validity date and the name of the holder“. According to the decision, the message encouraged their customers to send full bank card numbers, instead of explicitly instructing the customers to hide certain digits. Spartoo claimed that it was, in fact, authorized by virtue of CNIL’s decision of 2 July 2009 on monitoring frauds and irregularities to process these data. However, CNIL concluded that Spartoo was only authorized to process parts of bank card numbers, as well as expiry dates, for the purpose of fighting fraud. In addition, CNIL criticized Spartoo for allowing customers to send the scans in an unencrypted form, from their personal email addresses. The scans were also kept unencrypted. Therefore, CNIL concluded that Spartoo did not implement measures to ensure the security of the data.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]