CNIL penalty for data transfer to an advertising platform

1. Facts and procedure

First of all, it should be noted that the CNIL has anonymised these disciplinary proceedings, meaning that the entity against which the complaint was filed is referred to as 'Company X', the recipient of the data as 'Group Y', and the social network as 'Social Network Z'.

Company X is an entity that operates both through physical stores and its website and manages a loyalty program with millions of members across the European Union. As part of this program, Company X processed the personal data of its customers, such as their names, contact details, and date of birth.

From late 2018 until February 2024, Company X carried out targeted advertising campaigns on Social Network Z, periodically transmitting to Group Y the email addresses and/or phone numbers of members of its loyalty program who had consented to commercial communications, with the aim of associating them with users of that social network and spreading personalised advertisements.

By decision of December 21, 2022, the president of the CNIL ordered control measures, consisting of an online inspection of the website in January 2023 and an on-site inspection at the company's facilities. Following the investigation, in May 2025, the CNIL issued a sanction report for possible violations of Articles 6, 13, 32, and 35 of the GDPR and Article 82 of the French Data Protection Act.

Given the cross-border nature of the processing, the CNIL acted as the lead supervisory authority, activating the cooperation mechanism of Article 60 of the GDPR with no objections from other authorities, and ultimately adopted the sanctioning decision on December 30, 2025.

2. Reasons for the decision

The CNIL's decision examines various aspects of the data processing carried out by Company X, particularly in relation to its loyalty program and the targeted advertising practices on Social Network Z. Below, the main reasons upon which the supervisory authority based its decision are analysed:

1. Processing and status of data controller. Two main operations can be distinguished within Company X:

• The loyalty program of Company X.
• Targeted advertising on Social Network Z, which involved the transfer of emails/phone numbers of X's members to Group Y for matching and creation of similar audiences.

In this regard, the Resolution confirms that Company X acted as the data controller in the mentioned operations. This includes processing related to the website, the loyalty program, the data transfer to Group Y, and the management of advertising campaigns on Social Network Z. Although there was joint responsibility with Y during the advertising segmentation phase, this circumstance did not exempt X from its responsibility for deciding to transfer the personal data to Group Y and for determining the purposes of the operation.

2. Lawfulness of processing (Art. 6.a GDPR). Company X used consent as the legal basis to send its customers' data to Group Y, with the aim of showing them advertisements on Social Network Z when there was a matching profile and even to identify similar users within the platform. However, the CNIL determined that this consent was not valid as it was not sufficiently clear or specific. The forms of the loyalty program only referred to communications via SMS or email and did not explain that the data could be transferred to third parties for advertising on social networks. Additionally, the information regarding this transfer was scattered throughout the company’s policies, making it difficult for users to actually understand what they were consenting to.

The CNIL also pointed out that the consent granted upon registering to Social Network Z does not replace the consent that X had to obtain before transferring data to Group Y, as these are different types of processing. It also highlighted that the use of technical measures such as hashing does not remedy the lack of a valid legal basis for the transfer. Overall, the CNIL concluded that X breached Article 6.1.a of the GDPR by transferring data without adequate, informed, and specific consent for the purpose of targeted advertising.

3. Obligation to inform (Art. 13 GDPR). The information that Company X made available to users — such as the privacy policy, the general conditions of the loyalty program, and the general sales conditions — did not clearly and easily explain that their data could be sent to Group Y for behavioural advertising on Social Network Z. It also did not detail the legal basis used, the exact purpose of the processing, or how responsibilities were distributed among the parties involved. Furthermore, some documents still referred to the old Privacy Shield framework, which was invalidated in 2020, further contributing to the confusion regarding the actual processing of the data.

4. Security of processing and impact assessment (Articles 32 and 35 GDPR). The CNIL detected significant security gaps at Company X. In 2023, its passwords were not very complex and were stored using SHA-256, a method too fast to adequately protect them. Although in 2024 and 2025 the company strengthened its password policy and switched to Argon2, these improvements came too late: at the time of the inspection, the security was insufficient. Therefore, the CNIL concluded that Article 32 of the GDPR had been breached.

Moreover, the processing analysed affected more than 10.8 million people and involved the transfer and interrelation of data between X and Group Y, which made an impact assessment mandatory before starting the processing. The company did not carry it out, leading the CNIL to declare a breach of Article 35 of the GDPR as well.

5. Cookies (Art. 82 of the French Data Protection Act). During the inspection conducted by the CNIL, it was found that Company X's website installed 11 cookies before the user could choose whether to accept them or not. Moreover, these cookies remained active even when the user selected the 'Continue without accepting' option. These included chat and personalisation cookies, which are not necessary for the basic functioning of the site and therefore require prior consent. Since the company did not respect this principle and allowed both the installation and reading of these cookies without the user's authorisation, the CNIL concluded that Article 82 of the French Data Protection Act had been breached.

In summary, the violations identified by the CNIL show that Company X did not ensure an adequate level of compliance with the GDPR: valid consent, transparent and detailed information, robust security measures, adequate risk assessment, and proper installation and use of cookies.

3. Conclusions

The CNIL's decision shows that Company X did not adequately implement the basic data protection obligations established by the GDPR, particularly regarding large-scale processing. In this case, the authority found violations in key areas: consent that did not cover advertising on social networks, incomplete information for users, insufficient security measures, and the absence of an impact assessment for the mass processing of millions of records. These elements, analysed together, demonstrate that the company did not adequately manage the risks associated with the intensive use of personal data, especially in sensitive areas such as targeted advertising.

The fine of €3.5 million reflects the seriousness and duration of these practices, but also the importance of acting rigorously from the very design phase of any processing. For the CNIL, data protection cannot be limited to ad hoc adjustments or late corrections; it must be integrated as an essential part of daily operations, including transparency, security, and realistic risk assessment.

Thus, the analysed case demonstrates that user trust and GDPR compliance go hand in hand; only organisations that incorporate privacy into every decision can operate responsibly and sustainably in today’s digital environment.

Informative note prepared by the Data Protection team of ECIJA Madrid.