Universal Registration Document 2021

Advertising and communication activities involve the processing of a significant volume of personal data. Regulations governing personal data protection are complex and evolving, differ from country to country and generate important and increasing compliance costs. Some of these regulations applicable to the Groupe are well established, while others, more recently introduced, are still under development. As an example of regulation established, the General Data Protection Regulation (EU) 2016/679 of April 27, 2016 of the European Union (GDPR) entered into force on May 25, 2018 has strengthened obligations and responsibility of companies processing personal data. The GDPR has strengthened the rights of individuals by giving them increased control over their personal data and provided for administrative sanctions of up to euro 20 million or 4% of global annual revenue for the most serious breaches. European supervisory authorities are evidencing increased vigilance by using these sanctions more and more often and by imposing fines that are increasingly significant. More recently, due to decisions by European Union regulators and following Brexit, additional obligations related to international data transfers have been put in place. The European Union also introduced new regulations which affect the advertising and marketing industry with the ambition of turning the European Union into a single digital market and “creating a safer digital environment which protects consumers’ fundamental rights and establishes fair competition conditions for companies”. This is the Digital Services Act, the Digital Markets Act and ePrivacy regulation.

Since the implementation of the GDPR, an increased number of countries across the globe are adopting personal data protection regulations. In the United States, as there is no federal regulation, California was the first state to adopt a regulation known as the California Consumer Privacy Act (CCPA), which came into force on January 1, 2020. In October 2020, it was supplemented by the California Privacy Rights Act (CPRA), which will enter into force on January 1, 2023 and apply to personal data collected from July 1, 2023. The CCPA provides for a right to opt-out, allowing users to suspend the sale of their personal data. The CPRA expands the current protection scheme in place for personal data protection by increasing the requirements in connection with how companies are authorized to use the personal data of consumers in California and with the creation of a new governmental agency in charge of ensuring CCPA compliance. In March 2021, the State of Virginia adopted the Consumer Data Protection Act, and in September 2021, Colorado also took that important step by adopting the Colorado Privacy Act. A dozen other states in the United States are in the process of adopting their own personal data protection laws, confusing the situation with a fragmentation of the legislative landscape.

In 2021, other countries introduced new laws relating to personal data protection. In August 2021, Brazil adopted the Lei Geral de Proteção de Dados Pessoais (LGPD) and in November 2021, the People’s Republic of China adopted its own personal data protection act.

Any unauthorized loss or disclosure of personal data may give rise to substantial damages for the persons concerned, who may sue the Groupe. The Groupe, which deals with an increasing number of personal data, could be subject to increased scrutiny by supervisory authorities. Any breach of applicable regulations may, on top of any liability suits and sanctions handed down against the Groupe, create a loss of client trust and have an adverse impact on the Groupe’s reputation and activities.