Outbound Call and Data Privacy Regulations in France

National DNC List – Bloctel

France maintains a national "do not call" list called Bloctel, established in 2016 under the "Loi Consommation" (Hamon Law 2014). Consumers can register their phone numbers on Bloctel to opt out of unsolicited sales calls. All businesses engaging in cold calling of consumers must scrub their call lists against the Bloctel database and refrain from calling any number on it. This obligation is defined in the Consumer Code (Art. L223-1 et seq.) and applies to any B2C marketing call (calls to individual consumers).

Company Registration & Access

Telemarketers are required to register on the Bloctel platform before conducting any campaigns. After creating an account on the Bloctel professional portal, a company must purchase a subscription or credits to regularly submit its prospecting list for cleansing. Bloctel returns a sanitized list (removing numbers on the DNC) before the company may proceed with calls.

Frequency of List Checks

Firms must update their call lists against Bloctel at least every 30 days. A consumer's new registration on Bloctel becomes effective 30 days later, so telemarketers must respect a rolling one-month window for list validation. Occasional campaigns require a fresh Bloctel check before each campaign, whereas companies engaged in continuous telemarketing must scrub their lists monthly.

Exceptions

There are limited exceptions where calls to Bloctel-listed numbers are permitted. If there is an existing contractual relationship with the consumer and the call relates to that contract or a related service, the call is allowed despite Bloctel. Similarly, calls made for journalistic or press subscriptions (newspaper/magazine sales) or by non-profit organizations and polling institutes are exempt from the DNC rule. These exceptions aside, businesses cannot call Bloctel-listed consumers unless the consumer has given explicit prior consent to be contacted (e.g. opted in for calls despite Bloctel).

Penalties for Non-Compliance

Violating DNC regulations carries hefty fines. Currently, fines can reach up to €75,000 for individuals and €375,000 for companies per infraction (Consumer Code art. L242-16). The consumer protection authority (DGCCRF) actively enforces these rules; investigations have found many firms in breach and issued significant fines. Notably, France is in the process of tightening these sanctions further – a new law (adopted in 2024, effective Jan 2026) will raise the maximum fine to €500,000 (or up to 20% of annual turnover) and even allow criminal penalties for grave offenses.

Recent Legislative Updates

In addition to Bloctel, France has banned telemarketing outright in certain sectors due to widespread abuse. Since 2020, cold calls for home energy renovation services are completely prohibited by law. Likewise, a 2022 law bans any unsolicited contact (calls, SMS, email) regarding the government's personal training accounts (CPF) due to fraud concerns. These sector-specific bans mean no telemarketing is allowed in those domains, even to numbers not on Bloctel.

France has implemented robust measures to combat caller ID spoofing and fraudulent calls, functionally similar to "Do Not Originate" policies. These measures focus on ensuring that the telephone number displayed (Caller ID) is authentic and actually assigned to the calling party. Key requirements include:

Authorized Caller ID Only

By law, any marketing call must present a valid number that is assigned to the calling company (or the company on whose behalf the call is made). The Consumer Code explicitly requires that the number shown to the call recipient belongs to the business on behalf of which the call is placed. In practice, if a company hires a call center, the call center must display the client company's number (not the call center's own generic number), so consumers can call back and reach the actual company. Using someone else's number without permission (to disguise the caller's identity or location) is considered caller ID spoofing, which is illegal in France. In fact, misuse of a third party's number can be prosecuted as criminal identity theft (Penal Code art. 226-4-1) if done to disturb the person or commit fraud.

Restrictions on Number Ranges

The French telecom regulator, ARCEP, has amended the national numbering plan to prevent misuse of ordinary phone numbers by telemarketers and scammers. Since January 1, 2023, telemarketing calls made using automated systems (auto-dialers, bulk messaging systems) are forbidden from using regular geographic or mobile numbers (01-05, 06-07, 09) as caller IDs. Telemarketers may no longer present what looks like a normal landline or mobile number if the call is mass-generated. Instead, ARCEP created dedicated ranges of "verified calling numbers" for prospecting calls. For example, certain prefixes (like 01 62, 02 70, 03 77, 04 24, 05 68, or 09 48/49) are reserved for automated or call-center usage. Calls from these numbers are subject to special conditions – the operator providing the number must verify that the number's true user authorized its display, making it easier to trace and block spoofed calls. Moreover, using mobile numbers (06 or 07) for call-center or automated campaigns is explicitly prohibited (unless one is a single natural person calling from a personal mobile phone). These rules force legitimate telemarketers to use identifiable number ranges and deter them from "neighbor spoofing" (i.e. using random local-looking numbers to trick consumers).

Call Authentication Framework

France has moved to an operator-level call authentication system to combat spoofing – akin to the STIR/SHAKEN framework in the US. Under the so-called "Mécanisme d'Authentification des Numéros" (MAN) coordinated by ARCEP, telephone carriers must validate that an outgoing call's caller ID is genuine and authorized. As of October 1, 2024, French telecom operators are obliged to block any call that is not authenticated (i.e. fails verification). In essence, the originating carrier digitally "attests" the call's number, and the terminating carrier will automatically drop calls where the number is spoofed or not certified. This new policy was mandated by the 2020 "Naegelen" Law (Loi n° 2020-901) and its implementation has been gradually rolled out. The aim is to make it impossible to falsify caller IDs, especially those of banks, government agencies, or other trusted entities, which scammers often spoof. Under this system, for example, fraudsters can no longer impersonate a victim's bank by making the bank's number show up on caller ID – operators will block such illegitimate attempts.

Operator Duties

ARCEP recommends and now requires operators to actively filter out calls with spoofed numbers or numbers that don't pass authentication. Telecom providers must ensure that any number presented in the network is assigned and used in compliance with numbering rules. They have also been empowered to suspend services if a number is misused. For instance, if a user somehow uses a personal mobile number to blast hundreds of automated calls or texts, operators will detect it and can cut off the line for violating the numbering plan policy. These efforts by ARCEP, combined with DGCCRF and CNIL coordination, target both the supply side (preventing networks from carrying spoofed calls) and the demand side (penalizing companies that attempt to bypass rules).

In summary, while France doesn't use the term "Do Not Originate list" as in some countries, it enforces the same concept: calls must originate only from numbers officially allocated to the caller, and any call with a fake or unassigned caller ID will be blocked or sanctioned. These measures greatly reduce malicious and unsolicited calls by ensuring accountability for the displayed number.

EU GDPR Applicability

Because France is an EU member, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applies fully to how companies conduct outbound calls to individuals. Phone numbers and call recordings are considered personal data (if they relate to an identified or identifiable person). Therefore, any call center or company handling such data must comply with GDPR's requirements. Key GDPR obligations in the context of telemarketing include:

Lawful Basis for Calling

Companies must ensure they have a valid legal basis under GDPR for processing a person's contact data to call them. In practice, direct marketing calls are usually based on either the individual's consent or the company's "legitimate interest" in marketing, coupled with the individual's right to object. France historically has an opt-out regime for telemarketing: prior consent is not strictly required for live marketing calls, as long as the person has not objected. However, GDPR still requires transparency and respect of objections. If a company obtained a person's phone number (for example, via a purchase or a web form), it must have informed them that the number could be used for marketing and given them an easy chance to opt out (e.g. an unchecked box saying "I do not wish to be contacted by phone"). If the person opted out at collection or later, the company cannot legally call. Notably, fully automated calling (robocalls with recorded messages) likely requires explicit prior consent under e-Privacy rules – France treats pre-recorded message calls similarly to email spam, meaning opt-in is needed for those.

Transparency and Rights

GDPR's transparency principle means callers should identify themselves and provide a privacy notice upon request. Individuals have the right to know how their data was obtained and is being used. If a call recipient asks "Where did you get my number?" or demands not to be called again, the company must address this. Companies should be prepared to provide information or fulfill access requests from data subjects regarding call data. Every called individual also has an unconditional right to object to marketing processing (GDPR Art. 21); if someone says "Please take me off your list," the company must cease processing their data for calls. This typically means adding them to an internal do-not-call suppression list that is respected for the future, in addition to the national Bloctel list.

Data Security and Minimization

Outbound calling often involves maintaining databases of prospects' personal details and possibly recordings of calls. Under GDPR, companies must secure these data against unauthorized access and should not retain them longer than necessary. Only data needed for the call campaign (e.g. name, number, relevant opt-in status or preferences) should be processed. If calls are recorded (for quality assurance or training), those recordings should be stored safely, encrypted or access-controlled, and deleted once no longer needed.

Call Recording and Consent

French privacy law follows a two-party consent approach for recording calls. It is illegal to record a phone call without informing the other party; all participants must be made aware and given a choice. In practice, this means if a call center records conversations, the agent must announce at the beginning something like, "This call is being recorded for quality/service purposes." Continuing the call after this disclosure is generally taken as implied consent, as long as the person had the option to object or hang up. Recording without any notice would violate privacy (and potentially penal law). Additionally, GDPR considers recordings as personal data, so there must be a lawful basis (e.g. legitimate interest in improving service, or legal obligation in certain sectors), and individuals may request deletion of recordings concerning them. Best practice is to always notify at call start and, if a customer objects to being recorded, to have a way to continue the call without recording.

Data Protection Officer (DPO) and Documentation

If telemarketing is a core activity and involves large-scale processing of personal data (which is often the case for big call centers handling thousands of contacts), GDPR likely requires the appointment of a Data Protection Officer (GDPR Art. 37). The DPO oversees compliance and serves as a contact point for CNIL and data subjects. Regardless of size, companies must maintain an internal record of processing activities (GDPR Art. 30) documenting their call-related data processing (e.g. categories of data, purposes, retention, security measures). They should also perform a Data Protection Impact Assessment (DPIA) if the calling practices are particularly intrusive or innovative (for example, if using analytics to profile and target vulnerable individuals, which could be high-risk).

French Adaptations – CNIL and "Informatique et Libertés"

GDPR is directly applicable, but France also has a national Data Protection Act (Loi Informatique et Libertés, updated in line with GDPR) and guidance from the national regulator CNIL. CNIL has published specific guidance on commercial prospecting. For instance, CNIL emphasizes that buying third-party call lists or sharing data for marketing must be done in compliance with GDPR – individuals should have been informed and not objected, and a contractual arrangement for data protection should be in place. CNIL can investigate complaints about harassing calls or misuse of personal data collected via phone. If a company calling in France violates GDPR (for example, calling people who never gave any data or post-Bloctel without a valid basis), CNIL can impose administrative fines (up to €20 million or 4% of global turnover for serious violations).

In summary, GDPR overlays all telemarketing operations in France. Companies must carefully manage personal data used in outbound calls – from obtaining and verifying consent or legitimate interest, to honoring opt-outs, securing data, and enabling individuals to exercise their rights. Non-compliance with data protection rules (e.g. using data without proper notice or ignoring objections) can lead to sanctions by CNIL, separate from the consumer law fines for calling against Bloctel.

Beyond DNC and data protection, France has specific rules governing how and when call centers may contact consumers. Recent regulations (effective March 2023) strictly limit calling times and frequencies to reduce nuisance calls. Important operational rules include:

Permitted Calling Hours

Telemarketing calls to consumers are only allowed on weekdays (Monday to Friday) and only between 10:00 AM and 1:00 PM, and between 2:00 PM and 8:00 PM. Calls are forbidden on Saturdays, Sundays, and French public holidays. This means cold calls cannot be made in the early morning, lunch hour (1–2 PM), evening after 8 PM, or on weekends. These time restrictions apply universally – even if a consumer is not on Bloctel or even if the call is to an existing customer, the call must still fall within the allowed window. The only exception is if a consumer has given express prior consent to be contacted outside these hours. For example, if a customer explicitly requests a call at 8:30 PM or on a Saturday and the company can document this consent, it would be permitted; otherwise, it's prohibited.

Frequency Cap

A single consumer may not be called more than four (4) times in a 30-day period for unsolicited commercial purposes. This rule prevents overly persistent harassment by limiting how often any given number can be targeted. The count includes both successful calls and unanswered call attempts – each counts as one solicitation attempt. If a call center has multiple clients or campaigns, they must coordinate to ensure an individual isn't bombarded (the law is per consumer per caller).

Cooling-off after Refusals

If a consumer answers a call and expressly refuses the solicitation (for example, says "Not interested" or "Please don't call me again"), the telemarketer must not call that person again for at least 60 days. This two-month "no-contact" period aims to respect the consumer's wishes and prevent repeated annoyance. In practice, once someone rejects an offer, their number should be marked as blocked/suppressed in the campaign for the next 60 days (at minimum – arguably it should be permanent if they asked not to be contacted at all). Of course, if the person is not already on Bloctel, they could be called again after 60 days, but doing so against their stated objection might violate GDPR's objection rights. Best practice is to treat a refusal as an opt-out going forward.

Identification and Call Conduct

French law requires that callers identify the company and the purpose of the call at the start of the conversation. While the law (Code de la consommation) mandates showing the proper caller ID number, it's also expected that the agent states the business or charity they represent. If the call is a sales call, the consumer shouldn't be misled about the intent. Additionally, any call scripts must comply with truth-in-advertising and fair practice rules. Misrepresenting oneself (e.g. pretending to be a government survey when it's a sales call) would be unlawful.

Consent for Marketing Calls

France's regime is opt-out (until 2026 when an opt-in system is scheduled), so companies can call individuals who have not opted out. However, explicit consent is required in certain scenarios: for fully automated pre-recorded calls (as noted, those are treated like "automated calling machines" under e-Privacy) and for contacting consumers who are listed on Bloctel (they'd have to give consent to override the DNC). Moreover, some sectors may have their own consent requirements – for example, calls involving financial products might require prior customer agreement or fall under financial solicitation regulations. Companies should always ensure they are not violating sector-specific rules (e.g. insurance and banking regulators' guidelines on cold calls).

Call Recording and Monitoring

As discussed in Section 3, if calls are recorded (for quality control or training), French law effectively requires two-party consent. Call centers must inform the consumer at the outset that the call is recorded and state the purpose. If the person continues, consent is presumed. Additionally, if an agent is being monitored or recorded, French labor laws and privacy laws require informing the employee as well. Recordings should be used only for the stated purposes (e.g. training, dispute resolution) and not kept indefinitely. Typically, companies announce, "This call may be recorded for quality and training purposes," satisfying the notice requirement. If a customer objects, the company should have an alternative (like stopping the recording or using a different channel).

Special Sectoral Rules

Certain industries have extra telemarketing regulations:

Financial Services

The financial regulator (ACPR/AMF) imposes strict rules on cold-calling for investments or banking products. For instance, investment services cold calls are heavily regulated – firms must not call people on a blacklist of "no cold call" if they opted out via the AMF's system, and must follow script and transparency rules. Also, MiFID II (EU law) requires that any conversation intended to conclude a transaction in financial instruments must be recorded and archived for potential regulatory review. Thus a broker's call center has legal recording and retention obligations (usually 5 years) – but they still must inform the client of the recording.

Insurance

There are rules under the Insurance Code about distance marketing and clear consent if selling insurance by phone.

Healthcare

Calls involving health-related services or data are rare due to sensitivity, but if a call center were to use health data (e.g. calling patients for clinical trial recruitment), explicit consent and medical confidentiality laws would apply. In general, telemarketing of medical devices or treatments directly to consumers is not common and would be tightly controlled by health advertising laws.

B2B Calls

It's worth noting that the above restrictions on call times, Bloctel, etc., apply to consumer (B2C) telemarketing. Business-to-business (B2B) cold calls are not subject to Bloctel or the specific hour/frequency limitations. The law defines a "consumer" as a person not acting in a professional context. Thus, calling a company's office or a professional's number to sell business services is generally allowed outside those strict time constraints (though general principles of fair marketing and GDPR still apply if it's a personal data like someone's direct line). However, if the targeted number is a personal mobile even used by a professional, or a one-person business, there can be overlap. Many companies voluntarily emulate Bloctel opt-out for businesses or honor requests from businesses not to be called.

In summary, France's call center regulations require thoughtful scheduling and respectful frequency of calls. Telemarketers must confine their outreach to working hours on weekdays, limit how often they retry a number, and immediately desist for a period if the consumer doesn't wish to continue. These rules, enforced by DGCCRF via decrees, aim to curb the intrusive nature of cold calls while still allowing legitimate telemarketing within reasonable bounds.

Several regulatory bodies in France oversee and enforce the various aspects of outbound calling regulations:

In conclusion, companies operating outbound calls in France should be aware that multiple watchful eyes are on them: CNIL for privacy, DGCCRF for consumer rights, and ARCEP for telecom rule compliance. Each has authority to investigate and penalize different aspects of non-compliance, and together they form a comprehensive oversight framework.

Companies engaging in telemarketing in France must complete certain registrations and integrate specific databases into their operations to remain compliant:

Bloctel Registration

As discussed, any professional wishing to place sales calls to consumers must register with Bloctel. This is not optional – it's a legal prerequisite. The registration is done online on the Bloctel pro portal and involves providing company information and agreeing to the terms of use of the Bloctel system. Once registered, the company must subscribe to a plan to be able to submit phone number lists for cleansing. There are costs associated (tiered by volume of numbers checked), effectively a fee for accessing the DNC list. Failing to register and scrub against Bloctel, yet proceeding to call consumers, is a direct violation of the Consumer Code. In addition, professionals are required to inform consumers of the existence of Bloctel in some cases (for example, if a consumer with no current contract is being contacted, the business should remind them they can register on Bloctel). This obligation (Consumer Code art. L223-2) is to ensure people know their rights to opt out. Thus, integrating Bloctel is both a one-time registration and an ongoing process of checking data.

Internal Do-Not-Call List

Aside from Bloctel, companies should maintain their own internal suppression list of individuals who have directly requested not to be called. GDPR effectively mandates this (honoring objections), and France's 60-day rule after a refusal reinforces it. While not a government-provided database, it's a mandatory practice to keep track of anyone who says "do not call me" and ensure they are excluded from future campaigns. Many companies integrate this with their CRM systems. If an individual is on Bloctel, that covers it, but if someone opted out only with your company (and perhaps not registered on Bloctel), you still must not call them. Failing to maintain such an internal list can lead to repeat unwanted calls, which can trigger complaints and fines under GDPR or consumer harassment laws.

CNIL Notification (no longer required)

Under the pre-2018 regime, companies had to notify CNIL of their prospecting databases (personal data filing declarations). GDPR removed the general notification requirement, replacing it with accountability measures (like keeping records, doing DPIAs). So, there is no need to register your calling database with CNIL now, except in special cases (e.g. if using certain types of data that still require prior authorization, like processing biometric or health data, which is usually not relevant for telemarketing). However, if a company appoints a Data Protection Officer, that DPO's identity must be communicated to CNIL. Foreign companies (outside EU) must designate an EU representative (see Section 7) and often register that rep's details with a European authority (in France, CNIL can be that contact point). In summary, there's no formal CNIL filing for a call list, but companies must self-organize their compliance and be ready to demonstrate it.

Sectoral Registrations

If the telemarketing involves regulated industries, the company might need additional registrations or to consult special databases. For example:

• A telephone fundraiser for charities might need prior approval from the prefecture or to follow the guidelines of France's charity regulator.
• Cold calls for insurance or real estate may require the callers to hold certain professional licenses or registrations (like being a registered insurance intermediary or having a real estate agent card) – otherwise, the solicitation itself could be illegal.
• Companies selling financial investments by phone need to ensure they aren't calling people on the AMF's "grey list" of investor-protection (France's financial regulator sometimes distributes lists of people who should not be solicited due to being vulnerable or having opted out via a separate mechanism).
• There is also an anti-fraud database (OPPOSETEL manages Bloctel) and efforts to coordinate with international databases to catch scammers. Telemarketers don't directly access these, but they should be aware that authorities share data on rogue callers.

Documenting Compliance

While not a public "registration," companies should document their compliance efforts – e.g. keep records of Bloctel list downloads and scrubbing results (to prove they filtered out registered numbers on date X). They should retain proof of consents if any calls are made based on prior consent (date, time, method of consent). They should also document their calling campaigns (dates, scripts used, numbers called) in case regulators inquire. If using a dialer, logs should be kept to show they didn't exceed call frequency limits. All these internal records collectively serve as evidence that the company followed the required "registrations" and checks.

Database of Recycled Numbers

One practical challenge is number recycling – if a number was on Bloctel under a previous owner, and it gets reassigned, Bloctel may still list it until the original registration expires (3 years). Telemarketers should always rely on the latest Bloctel scrub results, and if a called person says "I'm new user of this number, I didn't register on Bloctel," the company should advise them on how to update Bloctel (or treat them as opt-out if they wish). This is just a nuance in database management to be mindful of.

In short, Bloctel is the primary mandatory database to consult for outbound calls in France. Companies must register for it and use it diligently. Beyond that, compliance requires maintaining internal records (like an internal DNC list and GDPR documentation) rather than registering those with the government. Companies should also stay updated on any new databases or registries – for instance, if France were to create a registry of numbers allowed for telemarketing under the new opt-in regime (post-2026), companies would need to adapt to that system.

Territorial Scope

France's outbound calling rules apply not only to French companies, but to any company (domestic or foreign) that targets people in France. In other words, if a foreign company or call center outside France is making calls to French consumers, it must comply with French regulations just as a local company would. There are several considerations for foreign entities:

Bloctel for Foreign Callers

The Bloctel "do not call" obligation extends to any professional prospecting French consumers. A company based abroad (for example, a call center in North Africa or Eastern Europe calling on behalf of a French merchant, or a US company cold-calling to sell products in France) is required to honor Bloctel registrations. In practice, this means foreign firms should register with Bloctel (or the French client that hired them must do so and provide cleansed calling lists). The law does not excuse foreign entities – if they call French numbers, they can be held accountable for violating Bloctel or call-time rules. Enforcement can be challenging across borders, but France's DGCCRF can collaborate with counterparts in other countries or impose penalties that affect the foreign firm's ability to do business in France. For instance, a foreign telemarketer might face blocking of their calls by French operators if they are known to flout the rules.

GDPR and Foreign Companies

GDPR has an extraterritorial reach. Any company, regardless of location, that processes personal data of people in France "for the purpose of offering goods or services" or monitoring behavior (which marketing calls certainly count as offering services) falls under GDPR (Article 3). So a call center in, say, Morocco calling French individuals is processing EU personal data. It must therefore comply with GDPR principles (lawful basis, rights, etc.) and crucially, appoint an EU representative (GDPR Article 27) because it has no establishment in the EU. This EU representative – which could be a person or entity in France or another EU country – serves as a local contact for regulators and data subjects. CNIL or data subjects can reach out to that representative with complaints or legal service. Foreign companies often designate a French office or law firm as their representative when targeting France.

Cross-Border Data Transfers

If an outbound call operation involves transferring personal data from France/EU to a non-EU country (for example, a French company sending a list of customer phone numbers to a call center in Asia), GDPR's data transfer rules kick in. The controller must ensure an adequate safeguard is in place for the transfer, such as EU Standard Contractual Clauses (SCCs) or that the destination country is recognized as adequate (which many are not, except a few like those under EU adequacy decisions). In practice, French companies outsourcing calls abroad need to sign SCCs with the vendor and perhaps conduct transfer impact assessments. Even a foreign company collecting data from French individuals during calls (say they generate leads containing personal info) is transferring that data out of the EU, and needs a legal mechanism to do so. These GDPR requirements mean foreign firms must treat French call data with the same care a European company would – otherwise they risk GDPR fines. CNIL has pursued foreign companies before (including those in the US) for privacy breaches related to marketing.

Local Presence and Representation

While not required to incorporate in France, foreign companies calling into France might consider establishing a local subsidiary or branch. Having a local presence can ease compliance – e.g. a French branch could register for Bloctel, interface with CNIL and DGCCRF, and ensure all French-specific rules are followed. If no local entity exists, the burden is on the foreign company to keep up with French law changes and respond to any official notices. The new 2024 law (telemarketing with consent) will likely apply to any calls made to French consumers, so foreign firms will also have to switch to opt-in by 2026.

Enforcement Across Borders

Enforcement mechanisms include blocking calls (via ARCEP's operator rules) and legal action. ARCEP's number authentication requirement (MAN) applies at the operator level, so if a lot of illegal calls originate from foreign call centers using spoofed numbers, French operators will drop those calls. DGCCRF can also publish names of offending companies, which is reputationally damaging. Under the EU's consumer protection cooperation regulation, France can ask other EU states to help if the caller is in the EU. If the caller is outside the EU, it's trickier, but GDPR gives CNIL tools like international cooperation or targeting the EU representative. Also, if a foreign entity ever establishes some assets or business in France, outstanding fines could be enforced then.

Requirements for Foreign Business Targeting France

To summarize, a foreign company calling France should:

• Abide by Bloctel (either directly or via its client).
• Comply with call hour and frequency restrictions – schedule calls in French time 10h-20h only, etc.
• Use only proper French phone numbers for caller ID (the foreign company cannot just display a random French number; as ARCEP notes, foreign call centers cannot directly obtain French numbers unless they have ties in France. Usually the French client provides a number or the call center uses international dialing which shows up with a foreign country code – though that reduces answer rates).
• Designate an EU representative for GDPR and ensure a GDPR-compliant process (with privacy notice given to called persons, etc.).
• Implement an internal DNC system and follow any French-specific nuances (like 60-day no-call after refusal).
• If using French customer data, sign the necessary data processing agreements and SCCs. If the calls are on behalf of a French company, often the French company remains the data controller and the foreign call center is a data processor, which also brings obligations (GDPR Art. 28 contract, etc.).

Outbound B2B from Foreign

If a foreign company is cold-calling French businesses (B2B marketing), Bloctel and consumer law wouldn't apply, but GDPR still could if they're calling individuals on their personal mobiles or using personal data. If it's purely calling company switchboards or published business contacts, GDPR might not view generic business contacts as personal data (e.g. calling "info@company.com" or main office numbers is fine). However, many business calls do involve personal data (the name and direct line of a manager), so GDPR likely applies.

In essence, being outside France does not exempt a caller from French rules. Any foreign company that wants to telemarket in France should either partner with a French-compliant firm or thoroughly implement French legal requirements in their operations. It's wise for foreign entities to get legal advice on French specifics and perhaps have a French agent to handle any regulatory issues that arise.

Given the complex web of regulations, companies should adopt a set of best practices to ensure compliant and successful outbound calling operations in France:

Integrate Bloctel Checks into Workflow

Treat Bloctel scrubbing as an automatic step in campaign preparation. For example, before dialing any list of French numbers, upload the list to Bloctel's system (or via an approved API) and remove all flagged entries. Do this no more than 30 days prior to the campaign launch so it's up-to-date. If running continuous campaigns, schedule a monthly Bloctel update. Maintain evidence (receipts or logs from Bloctel) of these checks to demonstrate diligence.

Honor Opt-Outs and Build Suppression Lists

Every time a person says "Please don't call again" or opts out through any channel, log it in an internal DNC list. Configure your dialer or CRM to never call those numbers. Even if the person is not on Bloctel, your internal respect of their preference is required by law (GDPR objection) and courtesy. Also, if someone is on Bloctel but for some reason you have an allowed reason to call (e.g. existing customer), if they tell you to stop, you must stop. Keep the internal opt-out list synchronized across all campaigns and with any third-party partners to avoid mistakes.

Time and Frequency Compliance

Set dialing rules in your call center system to only permit calls during 10h00–13h00 and 14h00–20h00 on weekdays. Modern dialers can be programmed with time-of-day restrictions. Disable calling on weekends and public holidays entirely. Also use the dialer's controls to limit call attempts to max 4 per 30 days per contact. This may involve a counter or tagging system for attempt history. If using multiple lists or multiple client campaigns, implement a way to unify attempts count for the same number (to avoid, say, calling the same person for different products a total of 8 times). It's also prudent to space out those attempts over the weeks – calling a person four times in one week, while technically within 30-day rule, could be seen as aggressive. After any refused call, block that number for 60 days as required. Essentially, configure your systems to enforce the 4-call and 60-day rules by default.

Use Proper Caller Identification

Always display a valid, recallable phone number as caller ID, preferably one that the called party can dial back and reach your company or at least an IVR that identifies the company. Do not use random numbers or personal mobile numbers to boost pickup rates – this is illegal in France now. If you outsource calls, coordinate with the client to use the client's number or a dedicated number that meets ARCEP's criteria (for automated campaigns, likely a number in the special ranges like 09 48, etc., obtained through your telecom provider with the proper registration). Ensure any number you use is set up to handle callbacks – even if it's just a recorded message or an option to press to reach a representative. French rules mandate that the number presented must allow the consumer to recontact the entity who called. Not only is this legally required, it's also good customer service (people might call back to verify who called or to opt out).

Prepare and Train Call Agents

Provide training to your calling agents on compliance points: they should know to introduce themselves and the company, mention if the call is being recorded, and never pressure or mislead consumers. Agents should also be trained to handle objections or opt-outs gracefully – e.g. apologize and flag the number for no-future-contact if someone says they don't want calls. Make sure agents are aware of the permitted call times in French local time (account for time zone differences if calling from abroad!). They should also know the exceptions – e.g. if a consumer says "I'm on Bloctel, why are you calling?", the agent should be able to respond if an exception applied ("You are a current customer, and we're calling regarding our contract. If you prefer, we will not call you again."). Having a compliance script or at least FAQs for agents helps ensure no off-script promises or legal misstatements are made.

Consent Management

If your marketing strategy is moving toward a consent-based model (especially anticipating the opt-in regime by 2026), start collecting explicit opt-in consents for calls now. For instance, on your website or via email, ask customers if they would like to receive phone offers and log that consent. This way you build a pool of callable numbers with strong permission, insulating you from Bloctel issues (consented numbers can be called even if on Bloctel, since they've explicitly opted in). Maintain records of when/how consent was obtained. Also implement easy ways for people to revoke consent (a link, or a customer service number). While not strictly mandatory under current law (except for automated calls), having consent is a best practice that likely will be mandatory soon – getting ahead of it is wise.

Data Management and GDPR Compliance

Ensure you have a clear legal basis documented for your calling data. If it's legitimate interest, document a Legitimate Interests Assessment balancing your marketing need against the person's privacy, and note the safeguards (like Bloctel filtering) you use. If it's consent, store proof of consent. Provide a privacy notice to call recipients – often this can be done by directing them to a web page or offering to email/mail it. For example, the agent can say: "You can find information on how we use your data on our website privacy page or I can send it to you." At minimum, the agent should inform the person of the company name and the purpose of the call, which are basics of GDPR's information requirement. Keep your record of processing updated to include calling activities, and do a periodic DPIA if you introduce new technology (like an AI auto-dialer or new data source).

Monitor and Audit Compliance

It's good practice to periodically audit your call logs and processes. Check if any calls slipped outside allowed hours due to dialer settings, or if any number was called too many times. Audit a sample of call recordings for proper consent announcements and respectful behavior. Also, verify that your Bloctel processing is functioning (e.g. ensure no calls went to a number that your Bloctel report marked as blocked – perhaps due to human error). Keeping an audit trail and correcting issues proactively can be a mitigating factor if regulators ever inquire.

Stay Updated on Law Changes

As mentioned, France is moving towards an opt-in regime from 2026 (all telemarketing will require prior consent). Companies should follow developments from the Parliament and guidance that will come out as the date approaches. Also watch CNIL and DGCCRF press releases – these often highlight enforcement trends (e.g. CNIL might announce it fined Company X for illegal cold calls, which provides a case study of what not to do). Subscribe to CNIL's newsletter or the Ministry of Economy's updates for professionals. If operating internationally, also keep an eye on the EU ePrivacy Regulation in progress, which may eventually harmonize rules on phone marketing across the EU.

Consider Call Authentication Tech

With ARCEP's authentication mandate in place, ensure your telecom provider or PBX system supports the required protocols. Work with your carrier to properly register your numbers and sign your outbound calls so they are marked as verified. This will not only avoid your calls being blocked by French networks, but it can improve call pickup rates (as the ecosystem evolves, phones might display "verified call" trust indicators). It's both a compliance and a performance step.

Consumer-Friendly Practices

Apart from legal compliance, adopting a consumer-friendly approach can save your reputation. This includes simple steps like not calling the same person too early after a previous attempt (even within the 4 allowed tries – give some days between attempts), leaving a polite voicemail if appropriate (identifying the company and reason, so the person doesn't feel ambushed), and providing easy ways to opt-out (such as saying "If you prefer not to receive further calls from us, just let us know anytime"). These practices can reduce complaints. Satisfied or at least not-annoyed consumers mean less risk of them reporting you to authorities.

Documentation and Legal Backup

Have your legal or compliance team prepare standard documentation: proof of Bloctel subscription, template consent language, call scripts vetted for legal compliance, and a process document that maps out how you comply with each requirement. This "compliance playbook" can be very useful if you ever need to demonstrate your commitment to regulators. During a DGCCRF inspection, being able to show your procedure (e.g. "here's our process for monthly DNC list sanitization, here are logs of last runs, here's our script and training slides on call rules") can go a long way.

By following these best practices, companies can significantly reduce the risk of violations. Compliance not only avoids fines but can also improve call effectiveness – reaching only willing consumers at appropriate times creates a more positive interaction. France's rules might seem strict, but they ultimately push companies towards more respectful and efficient telemarketing. Embracing that spirit will benefit businesses in the long run, especially as the trend moves towards greater consumer consent and data protection in all marketing activities.