The French Data Protection Authority (CNIL) recently fined e-scooter rental company Cityscoot €125,000 for failing to comply with EU and French data protection regulations.
Specifically, CNIL found that Cityscoot had not abided by the obligation of data minimization outlined in Article 5 of the EU General Data Protection Regulation (GDPR) when collecting users’ geolocation every 30 seconds and keeping a record of this information. In addition, CNIL determined that Cityscoot had failed to obtain the necessary consent from users for using Google’s reCAPTCHA service when creating accounts, logging in, or recovering passwords without informing them of the collecting and sharing hardware and software information from their devices with Google going on behind the scenes. Finally, three of Cityscoots’ data processing agreements were also found to be incomplete based on what is required under Article 28 of the GDPR.
In order to ensure better protection of French citizens’ rights, CNIL has made a clear effort to prioritize investigations and enforcement in areas related to everyday life with this fine being only the latest example.