Cityscoot – €125,000 Fine (France, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Cityscoot was fined for collecting location data from users without their consent. The company, which rents out electric scooters, tracked users every 30 seconds but did not properly justify this data collection. This ruling serves as a reminder for businesses to obtain clear consent before collecting personal information.
What happened
Cityscoot collected users' location data every 30 seconds without obtaining proper consent.
Who was affected
Users of Cityscoot's electric scooter rental service whose location data was tracked.
What the authority found
The French data protection authority ruled that Cityscoot violated GDPR by failing to collect consent before processing personal data.
Why this matters
This ruling highlights that companies must be transparent and obtain consent when collecting personal data. It sets a precedent for stricter enforcement of privacy laws regarding user data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller is Cityscoot, a company that rents out shared electric scooters via a mobile application. The controller operated cross-border processing operations but its main establishment was in France. In accordance with Article 56, the CNIL was therefore competent.For each purpose, the controller justified why it was necessary to collect location data every 30 seconds. For traffic offences, the collection was necessary to prove driver's identity and insurance purposes. It also argued that this could be useful for checking whether a scooter was actually at the location where an offence was recorded for potential disputes. For the purpose of handling customer complaints, the company argued that the collection of data every 30 seconds was necessary as the service is charged by the minute. It considered that this collection could be useful for complaints about overcharging due to an error in stopping the rental, parking in areas where parking is prohibited or loss of contact with the app because it allowed to check how long a scooter was stopped. Regarding the purpose of managing theft during rentals, the controller explained that the collection of location was not necessarly cross-referenced with the user's data and was therefore not personal data. However, it did not indicate how many scooters were found thanks to the collection of geolocation data. With regard to accident management, the company argued that the collection of geolocation every 30 seconds was necessary for reporting and insurance purposes and for providing assistance to the driver involved. In May 2020, the CNIL organised an investigation of the controller's website and mobile app. This investigation mainly highlighted three points. First, the company's scooters were equipped with electronic boxes containing a SIM card and a GPS geo-location system. This allowed location data to be collected every 30 seconds when the scooter was active and every 15 minutes when it was not. This data was collected
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Cityscoot in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
16 March 2023
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€125,000
GDPRhub ID
gdprhub-5782About this data
Cite as: Cookie Fines. Cityscoot - France (2023). Retrieved from cookiefines.eu
Last updated: