On December 30, 2025, the National Commission for Informatics and Liberty (CNIL) imposed a record fine of 3.5 million euros against a company that illegally transmitted the personal data of members of its loyalty program to a social network, primarily for advertising targeting operations. This decision follows inspections conducted in January 2023, revealing multiple breaches of the obligations set out by the General Data Protection Regulation (GDPR), while emphasizing the importance of consent and transparency in the processing of personal data.
CNIL Inspections and Findings of Breaches
During its investigations, the CNIL observed that the company in question had begun transmitting, since February 2018, the email addresses and/or phone numbers of its program members to a social network. This information was used to display targeted advertisements aimed at promoting the company’s products. The breaches identified by the CNIL are significant and mainly concern fundamental principles of data protection.
Analysis of Breaches of Data Legislation
One of the crucial points raised by the CNIL concerns the lack of valid consent. Indeed, the company attempted to justify its actions by arguing that the consent of the members had been obtained upon their enrollment in the loyalty program. However, the CNIL concluded that this agreement was not valid. The information provided in the enrollment form did not mention the transmission of data for advertising purposes, which undermines the members’ ability to give informed consent.
Obligation of Information and Transparency
Another significant breach noted by the CNIL lies in the obligation to inform the affected individuals. The commission found that the information presented on the company’s website was not only inaccurate but also incomplete. It lacked crucial details related to the purpose of data processing, such as the duration of data retention, thereby making the information insufficient for users to make an informed choice.
Data Security: A Negligence Not to be Ignored
The CNIL also highlighted failures in data security. The requirements regarding password complexity for user accounts were not met. Thus, users were exposed to an increased risk in terms of the security of personal information. Moreover, the hashing method used to store passwords did not provide adequate protection.
Impact Assessment and Compliance with Cookies
A fundamental aspect that was also overlooked is the absence of a Data Protection Impact Assessment (DPIA) before initiating targeted advertising practices on the social network. Given the volume of personal data processed, the CNIL emphasized that such an analysis should have been triggered, as the risks to users’ rights were considerable.
Finally, the issue of cookies and trackers was brought to light. The CNIL observed that eleven cookies, subject to consent, were placed on users’ devices without their prior choice expressed. Moreover, these cookies remained active even when users rejected their use, which constitutes a clear violation of the rules governing cookie usage.
A Collaborative Decision at the European Level
It is important to note that this decision was made in cooperation with sixteen other European data protection authorities. As a result, data from individuals living in these countries were also affected. The amount of the fine of 3.5 million euros was determined by considering the severity of the breaches, as well as the high number of affected individuals, estimated at over 10.5 million.
The CNIL also chose to make the deliberation public and alert the public to the rules to be followed regarding advertising on social networks, a practice notoriously widespread among companies. By informing the public, the regulatory body aims to raise awareness about the protection of personal data and users’ rights.
To learn more about the implications of this regulation in other contexts, you can consult articles related to the impact of blockchain, or age-related issues on social networks, as detailed in this one. Additionally, recent decisions regarding access restrictions to accounts on social platforms, as compiled in this article, demonstrate the various practices implemented to regulate the use of social networks.
