Commercial prospecting and CNIL:
what you need to know

Commercial prospecting is governed by a specific legal framework. In France, it is the CNIL which ensures compliance with current legislation regarding the protection of personal data. The CNIL carries out a mission of providing information and supporting companies in their compliance process. It also monitors the rights of users in terms of data processing and has the power of control and sanction in the event of breaches. How to bring your commercial prospecting actions into line with the requirements of the CNIL? What do you need to know to prospect in B2B in the era of GDPR?

Article Summary

What is the CNIL?

The CNIL (National Commission for Information Technology and Liberties) is an independent administrative authority created in 1978 and responsible for ensuring the protection of users' personal data in the digital world.

It plays a regulatory role on issues relating to data protection. It supports professionals to comply with regulations. And it also helps individuals to better control their data.

In practice, the CNIL carries out 4 missions:

  • Inform and protect rights: it responds to requests from individuals and businesses. It carries out a mission of continuous information to its audiences, for example through training and awareness-raising actions on the GDPR. It ensures that people can access the processing of data concerning them and handles complaints addressed to it.
  • Supporting compliance: before having a sanctioning role, the CNIL exercises a regulatory role. It helps businesses comply with legislation.
  • Anticipate and innovate: the CNIL is interested in weak signals and emerging issues related to data protection. It works upstream with companies to promote the emergence of solutions that respect personal data.
  • Control and sanction: the CNIL verifies that data processing managers apply the law in force. In the event of breaches, it can warn, put on notice and sanction the organizations concerned.

Commercial prospecting and personal data (GDPR)

The CNIL particularly scrutinizes the prospecting actions of companies. Indeed, to prospect, companies must internally create, buy or rent a database containing personal data.

Personal data includes all data relating to a natural person identified or able to be identified directly or indirectly thanks to this data. For example, an individual's email address, telephone number, professional activity, age and gender are personal data. Behavioral data collected on the Internet, for example as part of an inbound marketing strategy, are also personal data, as long as they are linked to an identity.  

Consequently, any company, in its prospecting actions, is subject to the compliance requirements of the CNIL and liable to sanctions in the event of breaches.

The entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018 has raised many questions among professionals. Indeed, many feared that the new legislation would affect their prospecting actions.

Indeed, the GDPR reinforces the obligations of companies at 4 levels: 

  • Data collection methods: in B2B, prior consent is recommended but not obligatory.
  • The right of access to data: contacts must be able to access information concerning them upon request. 
  • The right to be forgotten: contacts can request the deletion of their personal data at any time.
  • The notification obligation: in the event of a data leak, you must inform the contacts concerned within 72 hours.

However, the GDPR does not change the rules applicable to prospecting emails. On this point, the rules in force come from the e-Privacy directive, transposed into French law in article L.34-5 of the Postal and Electronic Communications Code.

Need more leads?
Try Magileads!

How to adapt your prospecting to the requirements of the CNIL?

The actions of the CNIL aim to regulate the processing of personal data. “Data processing” means any operation or group of operations relating to personal data. This therefore concerns the entire process of data: collection, recording, organization, conservation, modification, extraction, consultation, use, etc.).

Consequently, maintaining a prospecting file, a customer database or even the collection of data via web forms must meet the requirements of the CNIL.

Firstly, any data processing must correspond to a clear and specific objective. This purpose must obviously be legal but also legitimate with regard to your professional activity.

Next, if you collect data, you need to be able to inform your contacts about how you use their personal information. You must also guarantee use of data that respects their privacy.

Thus, virtuous data processing must meet several requirements:

  • Relevance: are the data collected really necessary for the intended objective?
  • Transparency: have the people whose data we process received clear and explicit prior information?
  • Respect for rights: can we guarantee the rights to information, access and erasure of data?
  • Data control: are the sharing and circulation of data supervised and contractualized?
  • Security: are IT security measures sufficient to guarantee data protection?

In practice, the GDPR now requires companies to have a register of the processing implemented. But, above all, the legislation raises questions on 2 crucial points: the notion of consent and the right to opposition.

The rules regarding B2B prospecting

For B2B professionals, the GDPR has not disrupted existing legal rules. The principle is always that of prior information and the right of opposition. When collecting their email address, you must inform the person that their email address will be used for prospecting actions. You must also ensure that they can object to this use in a simple and free manner.

In practice, the explicit consent of the prospect (opt-in) is strongly recommended by the CNIL but it is not obligatory in B2B (unlike B2C). It is therefore authorized to continue to do opt-out emailing provided that:

  • Inform about the conditions of data processing
  • Respect the right to object
  • Ensure that the subject of the solicitation is related to the profession practiced by the prospect

In any case, in each email, you must include:

  • The identity of the sender
  • An easy way to opt out of receiving future messages (e.g. in the form of an unsubscribe link at the end of the message)

What impact in the context of a database purchase or rental?

When you use a purchased or rented prospecting file, you carry out data processing operations. However, you do not intervene in the data collection phase.  

Despite everything, by contacting prospects by email on your behalf, you are required to respect the regulations in force and, ideally, to respect the ethical recommendations issued by the CNIL.

When you first communicate to the contacts on the list, you must tell them how to exercise their rights, in particular the right to object, as well as the source from which the data used comes. 

Then, each of your messages should include:

  • Mention of your company
  • The reason the contact is receiving communication from you
  • An object related to the profession of the person contacted
  • An unsubscribe link

You must also regularly update your file by taking into account unsubscribe requests from contacts.

Choose a service provider that respects legislation and ethics

Contact consent is only recommended by the CNIL in B2B. But, when you are looking for a service provider for purchasing or renting a file, you will benefit from finding out about the data collection methods.

Certainly, you can contact prospects from non-opt-in lists. But be careful of the consequences.  

Most messaging services have powerful algorithms that allow them to detect non-opt-in databases or lists that are already largely overused. By going through an unscrupulous service provider, you risk finding yourself blacklisted. Your emails will land directly in spam messages and your deliverability will be permanently affected.

If your messages still arrive in your recipients' inboxes, you also run the risk of them being flagged as spam. 

You should therefore check with the service provider about the origin of the data. In addition, it is also in your interest to work on a finely segmented list. Indeed, the CNIL requests that requests be directly related to the position of the person contacted.

Good segmentation will make your contact more natural. Finally, obviously, the relevance and quality of the message will have an impact on the reaction and engagement of contacts.

Need more leads?
Try Magileads!

How does Magileads ensure data protection?

MagiLeads provides its clients with a database of 5 million B2B contacts.

This base includes B2B decision-makers (managers, business leaders, HR managers, marketing directors, etc.). It is made up of data collected on the web then aggregated and structured according to its own algorithm.

Consequently, the data contained in our database is public data, accessible to everyone on the Internet, which we are responsible for scraping and structuring.

Unlike some purchased databases, we give you access to a much larger and constantly updated database.

Then, it is up to you to make virtuous use of the data that we make available to you. Our general conditions of sale commit you to respecting the regulations in force and, in particular:

  • Collect the consent of people to be approached by email;
  • Allow recipients to exercise, simply and free of charge, their rights of access, rectification and deletion of information concerning them 
  • Explicitly include the identity of the company sending the message and mention a subject related to the service offered
  • Include a visible and effective unsubscribe link for any email sent from the Magileads platform
  • Regularly update your prospecting file by taking into account requests for modification or deletion of personal data from recipients

By being very vigilant about these best practices, we guarantee optimal use of our services over time. Indeed, we reserve the right to exclude any customer who does not respect these rules in order not to degrade our databases.

The CNIL ensures the protection of citizens’ personal data. It is involved in all data processing operations, from the methods of collecting information to their use in the context of commercial prospecting actions. Consequently, B2B prospecting can only be conceived within the legal framework guaranteed by the CNIL. By applying practices that respect the recommendations of the authority, you protect yourself from possible sanctions. Compliance with ethical rules must also guide you in choosing a service provider specializing in the provision of data.

Need more leads?
Try Magileads!

They use our commercial prospecting tool

Need more leads?
Try Magileads!

More articles on sales prospecting

Business development

B2B commercial prospecting: to find customers effectively Article summary What is commercial prospecting? (sales, prospects, etc.) Prospecting

Read more "


your commercial prospecting now

You have questions ?
We are here to help you. Reserve the slot of your choice to speak face to face with a Magileads commercial prospecting expert .