While the RGPD has harmonized the legal framework for the purchase of files and personal data in the European Union, it has not necessarily provided direct and definitive answers to certain questions that remain in the gray area, such as Scraping and the purchase of files containing scrapped data.
Understanding the law: what is personal data (B2B vs. B2C)
According to the General Data Protection Regulation (GDPR), any information relating to a natural person that can be directly or indirectly identified is "personal".
Contrary to popular belief, nominal identifiers (first and last name, social security number, etc.) and contact details are not the only personal data. As the CNIL explains, the definition is much broader, encompassing all public or confidential data which, when cross-referenced, makes it possible to identify a person.
| 💬 " A name, a photo, a fingerprint, a postal address, an e-mail address, a telephone number, a social security number, an internal personnel number, an IP address, a computer connection identifier, a voice recording, etc." What is personal data? on the CNIL website |
In B2B, the processing of personal data is often justified by the company's legitimate interests. The marketing and sales function can therefore use business data (such as e-mail addresses in nom.prénom@entreprise.com format) without explicit consent, provided that the communication serves " legitimate business purposes " and that the impact on the individual's privacy is minimal.
However, recipients must always be informed of the use of their data, have the right to object to this processing and be able to stop the mailing via a systematic unsubscribe link.
The company must also adhere to the minimization imperative: each piece of data collected must be justified by a real need and directly linked to the objective pursued.
In B2C, regulations are stricter. Consumers' explicit consent is required before any processing of their personal data. Companies must therefore obtain clear and affirmative agreement from individuals for each specific use of data. Consumers are entitled to full information on the use of their data, and retain greater control over its processing, including the right to withdraw consent at any time.
Buying or renting files: what does the law say?
Some business sectors, such as bancassurance, real estate and tech, are accustomed to buying or renting files for prospecting. The RGPD provides a framework for this practice, again with notable differences between B2B and B2C.
In B2B, the purchase or rental of files is authorized under two conditions:
- Data such as name, job title and professional e-mail may be used without individual consent, provided they are used for legitimate business purposes (direct marketing, networking, etc.).
- Individuals whose data is collected must be informed of its use, and must be able to object to it easily. Thus, at the time of collection or at the first contact using this data, the company must inform the persons concerned of the identity of the collecting organization, the purposes of the collection as well as their rights (in particular to object to the processing at any time).
In B2C, requirements are much stricter, since the use of personal data requires the explicit prior consent of individuals for each specific use of the data.
This consent must be clear, documented and easily retractable. The company must clearly communicate the following points:
- What data is collected: name, email address, purchasing preferences...
- Why is this data collected: direct marketing, service improvement, personalization of the user experience...
- How will this data be used: analysis for targeted advertising campaigns, sharing with third parties for product delivery, etc.?
Data scraping: is it legal?
It's a complex issue because, as we'll see, we're in the middle of a gray area when it comes to certain uses.
Scraping, or web scraping, is a computer technique that extracts data from web pages, often automatically and on a large scale.
Scraping bots can collect content, data on competing products (prices and features) or contact data, including e-mail addresses and telephone numbers.
Data scraping is not illegal per se. As explained by the Village Justice website, "from a practical point of view, scraping simply consists in moving from site to site, without creating a personal account, without registering and without accepting the general terms of use (CGU) of the site in question, in particular that relating to non-reuse ".
The legal question arises when it comes to reusing data obtained by scraping. Here, a distinction must be made between several cases:
- If Scraping involves data protected by copyright, any violation makes the user illegal.
- In B2C, if Scraping involves personal data, their use will have to comply with the RGPD
- If B2B data is involved, its use must respect the principles set out in Part 1 of this article.
If not carried out within the framework of the law, Scraping can be sanctioned on the basis of criminal law, competition law, intellectual property law and the RGPD.
Companies reselling files containing scrapped data are subject to the same conditions. Here are some examples of where the resale of scrapped data is permitted:
- Resale of anonymized data for statistical analysis or marketing purposes
- The resale of personal data is possible if the persons concerned have given their free and informed consent.
- The resale of personal data may be authorized when it is necessary for the performance of a contract or the protection of an individual's rights.
The complexity of the issue of file purchasing is well illustrated by the regular debates in the French National Assembly on the subject of personal data scraping. We recommend this BFMTV report on the position of the CNIL and certain members of parliament on the Lusha software.
| ⚠️ Attention The French Data Protection Authority (CNIL) is taking a relatively aggressive stance on the re-use of publicly accessible online data for commercial canvassing purposes. We recommend that you consult this press release to refine your approach. |
