CNIL publishes its priority control themes for 2024
CNIL publication on it’s website
Each year, CNIL decides to focus part of its controls on a few “priority” themes. These controls are carried out in parallel with other enforcement actions that CNIL may launch in response to data subject claims, current events, or on its own initiative. In 2024, four themes have been chosen by the CNIL: data collection in connection with the Olympic and Paralympic Games, the collection of data from minors online, loyalty programs and dematerialized sales receipts, and data subjects’ right of access.
Data collection as part of the Olympic and Paralympic Games
First of all, the CNIL plans to focus on the security features put in place for access to the games, such as QR codes for restricted areas, as well as access to and use of augmented cameras. It will also examine the collection of commercial data, particularly in the context of ticketing, to ensure that the privacy of the millions of spectators and thousands of athletes is respected, by verifying the nature of the information shared, the recipients of the data and the security measures in place.
Collecting data from minors online
The CNIL will focus part of its controls on platforms frequented by minors (notably social networks, dating sites or online gaming platforms), whose data processing can create risks for their privacy, psychological well-being and socio-professional future. In particular, it will verify that age control mechanisms and security measures are in place, and that the principle of data minimization is respected.
Loyalty programs and dematerialized sales receipts
The authority notes that loyalty programs, which are widely used in the retail sector, can lead to the collection of a great deal of data on consumers, which can then be reused for direct marketing or targeted advertising. Moreover, the dematerialization of sales receipts necessarily leads to additional data processing. The CNIL will therefore verify whether all such processing complies with the GDPR and the French Data Protection Act, particularly with regard to prior information, the collection of consent and the reuse of data for advertising purposes.
Respecting data subjects’ right of access
Checks on this subject will be carried out as part of the third coordinated action by the European authorities forming the EDPB. CNIL states that the checks will focus on the conditions under which the right of access is implemented, and that the results will be pooled and analyzed in order to gain a better understanding of the subject at European level and ensure targeted follow-up.