CNIL Adds New Consent Requirement for Use of Credit Card Data
"The CNIL, France 's data protection authority, published a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information. Under the CNIL 's analysis, the principle purpose for which consumers provide payment information to a merchant is to complete a given online transaction. If a merchant or service provider wants to retain card information to provide additional services, such as the ability to make subsequent purchases without having to enter credit card information a second time, the CNIL considers this as a separate ""purpose"" for which the online merchant must seek separate consent. The CNIL said that a user 's consent to the terms and conditions is not sufficient. There must be a separate check-the-box consent pursuant to which the consumer explicitly agrees that the online merchant may keep payment details in order to facilitate future transactions. The online merchant must then give users a visible and easy-to-use opt-out to later revoke their content."