On December 30, 2025, the National Commission for Data Protection and Liberties (CNIL) imposed a fine of 3.5 million euros against a company that illegally transmitted data from its loyalty program members to a social network. This operation falls within the framework of targeted advertising but was carried out without the valid consent of the individuals concerned. This case illustrates the crucial issues surrounding the protection of personal data in a constantly evolving digital world.
The context of the sanction
In January 2023, following various control measures, the CNIL discovered that the company in question had been communicating email addresses and/or phone numbers of its members since February 2018. This information was used to display targeted advertisements on a social network, aimed at promoting the company’s products. This finding led the restricted formation of the CNIL to sanction the company for several breaches of the obligations set out in the General Data Protection Regulation (GDPR) and the Data Protection and Liberties Law.
The identified breaches
Absence of legal basis for data transmission
The first breach highlighted by the CNIL concerns the obligation to have a legal basis for processing personal data. By invoking consent allegedly collected during membership in the loyalty program, the company failed to provide clear information about the use of data for targeted advertising purposes. The information provided to members was not only insufficient but also difficult to access, rendering informed consent impossible.
Inaccurate information for the individuals concerned
Furthermore, the CNIL noted that the information provided on the company’s website was inaccurate. The purposes of the data processing were not clearly linked to the corresponding legal bases. Consequently, members were unable to grasp the scope of their commitments regarding data protection.
Failures in data security
The CNIL also observed significant gaps in the data security of stored information. The rules regarding password complexity were inadequate, and the storage method employed for passwords, named SHA-256, did not ensure optimal security. These breaches expose personal data to heightened risks of hacking.
Failure to conduct an impact assessment
It was also found that the company had not conducted a data protection impact assessment (DPIA), even though the processing involved a significant volume of personal data and a combination of that data. Such negligence constitutes a violation of the obligations that companies have in matters of data protection.
Non-compliance with cookies and trackers
Finally, the CNIL identified breaches related to the use of cookies and trackers on the company’s website. Cookies subject to consent were automatically placed on users’ devices, even before they had expressed their choice. This practice violates the established rules regarding consent and transparency.
A decision in international cooperation
The sanction imposed on this company is part of a broader framework involving 16 European counterparts of the CNIL. The data of citizens residing in these countries were also affected by this illicit processing. The CNIL deemed it essential to make this deliberation public to raise awareness among the public about compliance with data protection standards, particularly in the online advertising sector.
The challenges of data protection in digital advertising
This case highlights the challenges faced by companies attempting to combine personal data and targeted advertising while complying with existing laws. The observed breaches raise fundamental questions about transparency, security, and the respect for users’ privacy. To delve deeper into this essential topic, it may be pertinent to explore the implications of data protection or to look into the challenges posed by social networks and young users.
