Alliance Digitale published on April 8, 2026 a guide on commercial prospecting compliance, laying out in concrete detail which actors in the data chain bear legal responsibility under the General Data Protection Regulation and how consent obligations differ across email, SMS, telephone, and postal channels. The guide - titled "Guide des bonnes pratiques de la prospection commerciale: Transparence, tracabilite et conformite des donnees" - was produced by the association's Data Provider working group and brings together contributions from eleven companies including Ellisphere, Equativ, Mediaposte, SmartData for Lead by AAAData, and WebRivage.
The 300-member French digital marketing and data association, which also serves as France's representative for IAB, FEDMA, and GDMA, has previously published guidance on measurement, connected television standards, and drive-to-store frameworks. This new publication is notably different. It targets the operational specifics of data collection and prospecting - territory that sits at the intersection of marketing practice and regulatory enforcement, where the margin for error carries direct legal risk.
Why this guide matters now
Prospecting under GDPR has never been a simple compliance checkbox. The regulation's architecture requires every organisation handling personal data to identify a lawful basis, assign responsibility to named actors, and document decisions at each stage of the data lifecycle. For commercial prospecting specifically, according to the guide, the two bases that matter most are consent - known as opt-in - and legitimate interest - known as opt-out. Every channel, every audience type, and every actor in the chain requires a separate assessment.
France's regulatory environment has grown markedly more demanding in recent months. The CNIL adopted its final recommendation on email tracking pixels on March 12, 2026, requiring prior consent for open-rate tracking and audience profiling in most cases. The European Commission proposed major amendments to GDPR in its Digital Omnibus initiative in late 2025, including changes to the definition of personal data and new provisions covering AI processing. Against that backdrop, the Alliance Digitale guide provides a reference document calibrated to current French law, including the ePrivacy Directive as transposed in Article 82 of the French Data Protection Act.
According to the guide, "this document is a guide of good practices for transparency, traceability and compliance of data." It addresses three distinct audiences: the industry, by helping organisations avoid legal risk and secure commercial activity; consumers, by ensuring privacy protection and transparency; and the entire data chain, by establishing a shared understanding of processes and actor responsibilities.
The actors: who does what, and why it matters
The guide devotes its first section to mapping the data chain, defining four legal roles that determine liability under GDPR. These are not abstract categories. Misidentifying which role an organisation holds - or failing to document it - is itself a compliance failure.
The data controller (responsable de traitement) is, according to the guide, the entity that "determines the purposes and means of processing." This actor bears the primary compliance burden: establishing the legal basis for each treatment, informing data subjects, guaranteeing GDPR rights, supervising sub-contractors, and documenting the entire compliance framework. In a typical prospecting context, that is the advertiser commissioning the campaign.
A joint controller (co-responsable de traitement) arrangement arises when two or more controllers jointly determine the purposes and means of a treatment. The guide notes this can stem from a common decision or from separate but complementary decisions that produce a shared treatment. Joint controllers must enter into an arrangement under Article 26 of GDPR, with shared liability across the parties. The example cited is a brand running a campaign in partnership with a social network.
The independent data controller is a subtler category. It applies when one controller shares data with a third party that processes it for its own purposes. The original controller does not decide how or why that third party uses the data - it simply agrees to share it for specific purposes. A transport company using customer data to deliver a parcel is cited as a practical illustration.
Finally, the sub-contractor (sous-traitant) executes instructions without making decisions. According to the guide, the sub-contractor "executes, does not decide." Its obligations are governed by a contract under Article 28 of GDPR and include security, violation notification, supporting the controller on rights requests, and maintaining a processing register. An email routing provider falls into this category by default.
The legal status of the data broker receives particular attention. Brokers - intermediaries that aggregate, enrich, and make personal data available from third-party sources - can be either independent controllers or sub-contractors depending on the specific treatment performed. The guide identifies two distinct broker types: one that aggregates and monetises data for targeting, analysis, or marketing; and one that acts as a simple intermediary between parties. In both cases, the broker must guarantee the lawfulness of the data source, provide evidence of consent or another legal basis, maintain a processing register, and respect minimisation and pseudonymisation obligations where applicable.
Determining which status applies to any given actor is not a matter of label or convention. The guide reproduces a five-question decision tree adapted from EDPB Guidelines 07/2020 (adopted July 7, 2021) that organisations can use to assess their own role. The questions cover: who decides the purpose of the treatment, who decides the data subjects affected, who decides which data are processed, who decides the duration of retention, and who decides the recipients. The guide notes explicitly that choosing the technical means - which software platform to use, for instance - does not by itself confer controller status. According to the EDPB definition reproduced in the guide, "non-essential means concern more practical aspects of implementation, such as the choice of a particular type of hardware or software or the concrete security measures which can be left to the discretion of the processor."
Collection rules: consent versus legitimate interest across channels
The guide's third and fourth sections lay out the legal obligations that apply to each type of data collection, broken down by channel, audience type (B2C client, B2C prospect, B2B), and treatment purpose.
For B2C prospects - the hardest category from a compliance standpoint - the guide specifies that email, SMS, MMS, Rich Communication Services, instant messaging platforms (WhatsApp, Messenger, Signal), and Vocal Message Service campaigns all require explicit consent (opt-in). Push notifications require consent regardless of whether the target is a client, prospect, or professional contact.
B2C clients face a different standard. For email, SMS, RCS, instant messaging, and callbots, legitimate interest (opt-out) is permitted when the solicitation concerns analogous goods or services to those the customer already purchased. This is the standard "soft opt-in" carve-out, which narrows considerably if the products differ.
B2B contact - whether client or prospect - operates largely under legitimate interest across electronic channels, provided the content of the solicitation relates to the professional role of the person contacted. According to the guide, the legitimate interest basis can be chosen "subject in particular to the fact that the subject of the solicitation is related to the profession of the person canvassed." This formulation matters. A message to a procurement director about procurement software may qualify; the same message to that person about a consumer financial product may not.
Telephone prospecting with human intervention introduces a significant new obligation. According to the guide, for B2C prospects, consent will be mandatory from August 2026 for certain sectors - with carve-outs for charitable organisations, media, and polling institutes. This mirrors a legislative change already in progress in France, tightening requirements on cold calling that has historically operated under legitimate interest.
For non-electronic channels, postal mail operates under legitimate interest (opt-out) across all three audience types. This makes postal prospecting the least consent-intensive channel from a legal basis perspective, though the guide notes that postal prospecting letters must still include mandatory mentions enabling recipients to exercise their access rights.
The B2B scraping provisions are specific and worth noting. Scraping fixed-line telephone numbers from directory providers (official Orange and Free databases) requires no prior warning. Collecting mobile numbers or email addresses, however, does require a specific prior notice - by SMS or email - with an opt-out mechanism. Any data collection via telephone requires a prior disclosure statement informing the person of the data being collected, the purpose, the legal basis (legitimate interest), and their GDPR rights. The guide includes a model script demonstrating how this disclosure should be delivered in practice.
Data quality management and treatment typology
The guide's second part maps the full range of data treatments that arise in a prospecting operation, each assigned a legal basis. Structuration and normalisation of data - formatting names, validating postal addresses, standardising international phone numbers - falls under legitimate interest, its purpose being to maintain data coherence and campaign efficiency. Deduplication similarly rests on legitimate interest, the rationale being to avoid contacting the same person multiple times. Flagging contacts who have moved or died is also legitimate interest, framed as return on investment optimisation for campaigns.
Enrichment operations are divided by type. Adding contact channels - appending an email address or phone number to an existing profile - can rely on either consent or legitimate interest depending on the channel and context. Adding profiling criteria such as birth date, geocoding, occupation status, or wealth indicators relies on legitimate interest. The purpose stated is improving customer knowledge.
Tracking and behavioural analysis - covering cookies, email opens, clicks, and web navigation data - requires consent, with the exception of certain CNIL-recognised exemptions. The guide aligns directly with CNIL's cookie guidance here, which the French regulator has updated repeatedly since 2024.
For suppression and anonymisation - placing contacts on "do not contact" lists and automatic purging after inactivity - the legal basis is legal obligation combined with GDPR rights. Organisations must respond to simple data rights requests within 30 days, according to the guide's fifth section. Emails and SMS must include in every message a simple opt-out mechanism - typically an unsubscribe link at the bottom. Postal prospecting letters must carry mandatory notices enabling recipients to exercise access rights.
Consent architecture in practice
The practical cases section illustrates how the consent and legal basis rules translate into actual form design and data flows.
The newsletter-via-competition scenario is a common one in digital marketing. An advertiser commissions a first-party collector to gather new newsletter subscribers through a contest entry form. The guide specifies that the form must present two graphically identical buttons - same colour, same font size, same font weight, same syntactic structure - one for acceptance and one for refusal. The critical point is that participating in the competition cannot be made contingent on accepting commercial prospecting. The guide states that "the internet user can choose to participate in the competition without consenting to commercial prospecting by third parties." Consent for receiving partner offers is captured through the acceptance button only; refusal continues participation. Partner identity and their respective privacy policies must be accessible via a link directly on the form.
The insurance broker lead generation case demonstrates how third-party data transmission must be handled. A broker uses a first-party collector to generate leads via a white-label landing page. A clear mention above the validation button must inform the user that their data will be transmitted to partners to respond to their request. A link on the form must allow access to the full partner list and privacy policies. The guide notes that a link present directly on the form informs internet users of partner identity, allowing them to review each partner's privacy policy independently.
For B2B cookie consent, the guide describes the standard three-option bandeau architecture: refuse (with the consequence of not accessing certain site features), accept all, or select by category. Categories presented include necessary, preferences, statistics, and marketing. Each tab in the consent interface must explain the purpose of data collected and identify the relevant partners.
A compliant multichannel campaign, according to the guide, must satisfy four conditions simultaneously: a current and verified source database, demonstrated opt-in or legitimate interest depending on the channel, timestamped consent logs available for audit, and an integrated and verified opposition list checked before any campaign is activated.
A compliant enrichment or scoring operation requires: treatment performed on pseudonymised data (email hashes), a clear contractual agreement between broker and advertiser, and logging of the treatment to trace enriched data. The guide recommends tools such as DataLegalDrive, Dastra, and Leto for maintaining processing registers, with the register requiring quarterly updates or updates on any modification of a data flow.
Why this matters for the marketing community
The intersection of prospecting practice and data law has become a defining challenge for the French digital marketing sector. Survey participants in Alliance Digitale's own economic impact study, released December 4, 2025, identified regulatory compliance as the second-most significant business challenge, with 74 per cent expressing concern about evolving data protection requirements.
Research published in January 2026 and covered by PPC Land found that European companies collectively spend approximately 16 billion euros annually on GDPR compliance. That cost falls disproportionately on smaller organisations that lack dedicated legal and compliance infrastructure. The Alliance Digitale guide addresses this gap directly by providing operational tools - decision trees, model scripts, form design examples - that do not require specialist legal interpretation to apply.
The telemarketing consent obligation coming in August 2026 for certain B2C sectors represents a significant operational change for direct marketing businesses. Combined with the CNIL's March 2026 email pixel rules and the European Commission's broader GDPR amendment proposals, the regulatory landscape is shifting fast enough that organisations without documented processes are genuinely exposed.
According to Claire Normand Loya, Directrice Generale Adjointe BU Data Digitale at Mediaposte and Co-lead of the Data Provider working group at Alliance Digitale, "La conformite n'est plus une contrainte que l'on subit: c'est un avantage concurrentiel pour ceux qui s'en emparent vraiment. Ce guide est le fruit d'un travail collectif inedit entre des acteurs qui, pour la premiere fois, ont accepte de poser ensemble les regles du jeu."
Pierre Delaurent, Responsable des ventes indirectes at SmartData For Lead by AAAData and Co-lead of the same working group, added: "Ce guide permet enfin de parler le meme langage, que l'on soit une petite entreprise ou un grand groupe, pour que la data reste un levier de croissance sur."
Timeline
- May 25, 2018 - GDPR becomes enforceable across all EU member states, establishing the legal architecture that underpins all subsequent French prospecting compliance requirements
- January 6, 1978 (amended) - French Data Protection Act establishes Article 82, transposing ePrivacy Directive requirements for electronic communications
- July 7, 2021 - European Data Protection Board adopts Guidelines 07/2020 Version 2.0 on the notions of controller and processor under GDPR, providing the decision tree reproduced in the Alliance Digitale guide's annex
- December 17, 2024 - CNIL orders French websites to fix misleading cookie banners, enforcing Article 82 requirements on consent design
- January 29, 2026 - Alliance Digitale publishes white paper on hybrid marketing measurement as tracking fragmentation intensifies across French digital advertising market
- February 2026 - CNIL opens public consultation on session replay tools, extending Article 82 framework to website session recording software
- March 12, 2026 - CNIL adopts final recommendation on email tracking pixels, requiring prior consent for open-rate analysis and audience profiling with a three-month transition window for existing subscriber lists
- March 12, 2026 - Alliance Digitale publishes CTV Technical Standards guide covering VAST, OpenRTB 2.6, ads.txt, and sellers.json for the French digital television market
- April 8, 2026 - Alliance Digitale publishes "Guide des bonnes pratiques de la prospection commerciale: Transparence, tracabilite et conformite des donnees," compiled by 11-company Data Provider working group
- August 2026 - Mandatory telephone prospecting consent (opt-in) takes effect for certain B2C sectors in France under new legislative requirements referenced in the guide
Summary
Who: Alliance Digitale, a 300-member French digital marketing and data association representing professionals across IAB, FEDMA, and GDMA networks, with contributions from 11 member companies including Ellisphere, Equativ, Mediaposte, SmartData for Lead by AAAData, and WebRivage.
What: Publication of a 29-page practical guide on GDPR and ePrivacy compliance for commercial prospecting, covering data chain actor roles and legal statuses, treatment typology and legal bases, channel-by-channel consent requirements across B2C and B2B, collection rules for digital and non-digital channels, and practical case studies on consent architecture in form design.
When: Published on April 8, 2026, with reference to a forthcoming August 2026 compliance date for mandatory telephone consent in certain B2C sectors.
Where: France, with applicability across European markets operating under GDPR and the ePrivacy Directive. The guide references French law specifically (Article 82 of the French Data Protection Act) and EDPB guidelines applicable EU-wide.
Why: Commercial prospecting under GDPR requires organisations to correctly identify their legal role in the data chain, select the appropriate legal basis for each channel and audience type, and document compliance at each stage. The guide was produced to provide operational tools - decision trees, model scripts, form design examples, and processing register templates - that bring clarity to legal responsibilities across advertisers, first-party collectors, data brokers, technical service providers, and DPOs, at a time when French regulatory enforcement is intensifying across email tracking, cookie consent, and telephone prospecting.