Online clairvoyance: KG COM fined EUR 150,000

Background information

KG COM operates several websites to offer its customers clairvoyance readings by chat or phone. Following the publication of a press article in 2020 revealing the existence of a personal data breach involving the company, the CNIL carried out three investigations into KG COM.

During its investigations, the CNIL noticed several infringements, in particular concerning the systematic recording of phone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of individuals, the obligation to notify a data breach or the rules relating to cookies.

Consequently, the restricted committee – the CNIL body responsible for imposing sanctions – imposed two fines on KG COM:

• a fine of EUR 120 000 for infringements of the General Data Protection Regulation (GDPR). This fine was taken in cooperation with the European CNIL counterparts (Belgium, Luxembourg, Italy, Spain, Portugal, Bulgaria, Berlin et Ireland) within the framework of the one-stop shop procedure, as KG COM has customers and prospects from several Member States of the European Union.
• a fine of EUR 30 000 for non-compliance relating to use of cookies (Article 82 of the French Data Protection Act). In this case, the CNIL has the jurisdiction to act alone.

In order to determine the amount of the fine, the CNIL took into account the particularly high number of infringements of the data protection rules, the sensitivity of the personal data processed (health data, information relating to sexual orientation) and the number of data subjects.

It also took into account the financial situation of the company, which showed a negative net result in 2020 after a significant decrease in its turnover in recent years, and took into account the structure of the company which employs only a few employees, in order to adopt a dissuasive but proportionate fine.

Main infringements sanctioned

Failure to minimise the personal data collected and processed (Article 5.1.c GDPR)

The company systematically recorded all phone calls between telephone operators and prospects, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been formed and responding to potential court orders.

Although the company has now stopped phone-based clairvoyance readings, and therefore phone recordings, it has not provided any justification for the previous need to systematically record all calls for these purposes.

Failure to have a legal basis for the use of banking data (Article 6 GDPR)

The company retains its customers’ bank account data longer than is strictly necessary for completing the transaction, for anti-fraud purposes and facilitating the subsequent purchases of new clairvoyance sessions by customers.

If the legal basis for storing bank account data for anti-fraud purposes is the legitimate interest, this does not apply to the retention of data for subsequent purchases, for which the company should have obtained the consent of individuals.

Failure to obtain prior consent from individuals to collect special categories of data (Article 9 GDPR)

During readings, customers can provide information about their health and sexual orientation, which are noted on records stored by the clairvoyants.

The company should have obtained its customers’ prior explicit consent to process their sensitive data. The simple wish to receive fortune-telling services and the spontaneous disclosure of sensitive information do not constitute an explicit consent. The company should also have provided data subjects with specific information about the collection of their sensitive data.

Failure to ensure the security of personal data (Article 32 GDPR)

The company implemented insufficiently robust passwords for user accounts and did not secure access to the www.voyance-en-direct.tv website using the http protocol instead of the https protocol, which then exposed the data to the risk of computer attacks or leaks.

It also used a bank data encryption mechanism that had vulnerabilities.

Failure to notify a data breach to the CNIL (Article 33 GDPR)

On 29 September 2020, the company was informed by a journalist who provided it with a sample of its database that it was the subject of a data breach. However, the company did not notify the data breach to the CNIL. It considered that it couldn't observe the data breach due to the closure of its server and the lack of storage of logs to the server by its processor.

However, the company could identify the data breach by comparing the sample data provided by the journalist to its database. The company, because it is the controller, had an obligation to notify the data breach even if the data breach was caused by an error that could be attributed to the processor.

Failure to comply with obligations related to the use of cookies (Article 82 of the Data Protection Act)

The CNIL first noticed the absence of a cookie banner and the deposit of three cookies on the users’ terminal without their consent and when arriving on the website. The company then set up an information banner, but which did not allow the users to refuse the deposit of cookies as easily as to accept them.

During the procedure, the company set up an information banner in accordance with the requirements of the CNIL and stopped depositing cookies subject to consent without having collected the consent of the users.