Commercial prospecting and CNIL:
what you need to know

Commercial prospecting is governed by a specific legal framework. In France, it is the CNIL which ensures that the legislation in force concerning the protection of personal data is respected. The CNIL has a mission to inform and assist companies in their compliance process. It also monitors the rights of users with regard to data processing and has the power to control and sanction in the event of breaches. How to bring your commercial prospecting actions in line with the requirements of the CNIL? What do you need to know about B2B prospecting in the age of RGPD?

Summary of the article

What is the CNIL?

The CNIL (Commission Nationale de l’Informatique et des Libertés) is an independent administrative authority created in 1978 and responsible for the protection of users’ personal data in the digital world.

It plays a regulatory role on data protection issues. It assists professionals to comply with regulations. And it also helps individuals to better control their data.

In practice, the CNIL has 4 missions:

  • Inform and protect rights: it responds to requests from individuals and companies. It has a mission of continuous information to its audiences, for example through training and awareness-raising activities on the RGPD. It ensures that people have access to the data processing that concerns them and deals with the complaints that are addressed to it.
  • Supporting compliance: before having a sanctioning role, the CNIL has a regulatory role. It helps companies to comply with the legislation.
  • Anticipate and innovate: CNIL is interested in weak signals and emerging issues related to data protection. It works upstream with companies to promote the emergence of solutions that respect personal data.
  • Control and sanction: the CNIL verifies that data processors apply the law in force. In the event of non-compliance, it can warn, give notice and sanction the organizations concerned.

Commercial prospecting and personal data (RGPD)

The CNIL particularly scrutinizes the prospecting actions of companies. Indeed, to prospect, companies must build up internally, buy or rent a database containing personal data.

Personal data includes all data relating to a natural person who is identified or can be identified directly or indirectly through this data. For example, an individual’s email address, phone number, occupation, age, gender are personal data. Behavioral data collected on the Internet, for example as part of an inbound marketing strategy, is also personal data, as long as it is linked to an identity.

Consequently, any company, in its prospecting actions, is subject to the compliance requirements of the CNIL and liable to sanctions in case of failure to comply.

The entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018 has raised many questions among professionals. Indeed, many were concerned that the new legislation would affect their prospecting activities.

Indeed, the RGPD reinforces the obligations of companies on 4 levels:

  • Data collection methods: in B2B, prior consent is recommended but not mandatory.
  • The right of access to data: contacts must be able to access information about themselves upon request.
  • The right to be forgotten: contacts can request the deletion of their personal data at any time.
  • Notification obligation: in case of a data leak, you must inform the concerned contacts within 72 hours.

However, the GDPR does not change the rules for email marketing. On this point, the rules in force come from the e-Privacy Directive, transposed into French law in Article L.34-5 of the French Post and Electronic Communications Code.

Need more leads?
Try Magileads!

How to adapt your prospecting to the requirements of the CNIL?

The CNIL’s actions aim to control the processing of personal data. Data processing” means any operation or group of operations involving personal data. This concerns the entire data journey: collection, recording, organization, conservation, modification, extraction, consultation, use, etc.)

Therefore, the maintenance of a prospecting file, a customer database or the collection of data via forms on the web must meet the requirements of the CNIL.

First, any data processing must have a clear and specific purpose. This purpose must obviously be legal but also legitimate with regard to your professional activity.

Secondly, if you are collecting data, you need to be able to inform your contacts about how you are using their personal information. You must also ensure that the data is used in a way that respects their privacy.

Thus, virtuous data processing will need to meet several requirements:

  • Relevance: is the data collected really necessary for the purpose?
  • Transparency: have the people whose data is being processed been clearly and explicitly informed in advance?
  • Respect for rights: can the rights to information, access and deletion of data be guaranteed?
  • Data control: are the sharing and circulation of data regulated and contractualized?
  • Security: are the IT security measures sufficient to ensure data protection?

In practice, the RGPD now requires companies to have a register of the processing operations carried out. But, above all, the legislation raises questions on two crucial points: the notion of consent and the right to object.

The rules for B2B prospecting

For B2B professionals, the GDPR has not disrupted existing legal rules. The principle is always that of prior information and the right to object. At the time of collection of the email address, you must inform the person that their email address will be used for marketing purposes. You must also ensure that she can object to this use in a simple and free way.

In practice, the explicit consent of the prospect (opt-in) is strongly recommended by the CNIL but it is not mandatory in B2B (unlike B2C). It is therefore allowed to continue to do opt-out emailing provided that:

  • Inform about the conditions of data processing
  • Respect the right to object
  • Ensure that the purpose of the solicitation is related to the prospect’s profession

In all cases, in each email, you must include:

  • The identity of the issuer
  • A simple way to opt-out of receiving future messages (e.g., in the form of an unsubscribe link at the end of the message)

What is the impact of buying or renting a database?

When you use a purchased or rented prospecting file, you are performing data processing operations. However, you are not involved in the data collection phase.

Nevertheless, when contacting prospects by email on your behalf, you are required to respect the regulations in force and, ideally, to respect the ethical recommendations issued by the CNIL.

When you first communicate to the contacts on the list, you must tell them how they can exercise their rights, including the right to object, and the source of the data used.

Then, each of your messages should include:

  • The mention of your company
  • The reason why the contact is receiving a communication from you
  • An object related to the profession of the person contacted
  • An unsubscribe link

You must also regularly update your file by taking into account the unsubscribe requests of the contacts.

Choose a provider that respects the law and ethics

The consent of the contacts is only recommended by the CNIL in B2B. However, when you are looking for a service provider to purchase or rent a file, you will benefit from finding out how the data is collected.

Of course, you can contact prospects from non-opt-in lists. But beware of the consequences.

Most email services have powerful algorithms that allow them to detect non-opt-in bases or lists that are already heavily overused. If you go through an unscrupulous provider, you risk being blacklisted. Your emails will land directly in the spam folder and your deliverability will be permanently affected.

If your messages still arrive in your recipients’ inboxes, there is also a risk that they will report them as spam.

It is therefore advisable to check with the service provider as to the origin of the data. In addition, you should also work on a finely segmented list. Indeed, the CNIL requires that solicitations be directly related to the position of the person contacted.

A good segmentation will make your contact more natural. Finally, of course, the relevance and quality of the message will have an impact on the reaction and engagement of contacts.

Need more leads?
Try Magileads!

How does Magileads ensure data protection?

MagiLeads provides its clients with a database of 5 million B2B contacts.

This database includes B2B decision-makers (executives, company managers, HR managers, marketing managers, etc.). It is made up of data collected on the web and then aggregated and structured according to a specific algorithm.

Therefore, the data contained in our database is public data, accessible to all on the Internet, which we scrape and structure.

Unlike some purchased databases, we give you access to a much larger and continuously updated database.

Secondly, it is your responsibility to make virtuous use of the data we make available to you. Our general conditions of sale commit you to respect the regulations in force and, in particular, to :

  • To collect the consent of the persons who will be canvassed by email;
  • To allow recipients to exercise their rights of access, rectification and deletion of information concerning them, simply and free of charge
  • Explicitly state the identity of the company sending the message and mention a subject related to the service offered
  • Include a visible and effective unsubscribe link for any email sent from the Magileads platform
  • Regularly update your prospecting file by taking into account requests for modification or deletion of personal data from recipients

By being very vigilant on these good practices, we guarantee an optimal use of our services in the long run. Indeed, we reserve the right to exclude any customer who does not respect these rules in order not to degrade our database.

The CNIL ensures the protection of personal data of citizens. It is involved in all data processing operations, from the methods of collecting information to its use in commercial prospecting. Consequently, B2B prospecting can only be conceived within the legal framework guaranteed by the CNIL. By applying practices that respect the authority’s recommendations, you protect yourself from possible sanctions. Ethical considerations should also guide you in choosing a data provider.

Need more leads?
Try Magileads!

They use our commercial prospecting tool

Need more leads?
Try Magileads!

More articles on business development

Commercial prospecting

B2B sales prospecting: to find customers efficiently Summary of the article What is commercial prospecting? (sales, prospects …) Commercial prospecting is an essential activity for

Read More "

Launch now
your commercial prospecting!

Do you have any questions? We are here to help you.
Book a time slot of your choice to speak with a Magileads business development expert .