CNIL Slaps €3.5 Million Fine Over Loyalty Data Used for Social Media Ad Targeting

Key Takeaways

• Loyalty Programs Do Not Equal Blanket Consent: Agreeing to receive marketing emails or texts does not automatically authorize the transfer of data to social networks for ad targeting.
• Incomplete Privacy Information Can Invalidate Consent: Vague, fragmented, or outdated disclosures undermine the ability of individuals to make informed choices.
• Security and Governance Failures Compound Risk: Weak password protections and the absence of a data protection impact assessment weighed heavily in the sanction.
• Cookie Consent Remains a Live Enforcement Issue: Placing consent-based cookies before user choice, or failing to remove them after refusal, continues to attract regulatory scrutiny.

Deep Dive

France’s data protection authority, the CNIL, has imposed a €3.5 million fine on a company for unlawfully using the personal data of its loyalty program members to fuel targeted advertising on a social network. The sanction, adopted on 30 December 2025 and announced publicly on 22 January 2026, stems from long-running practices that the regulator says breached core principles of EU data protection law and affected more than 10.5 million people.

The case traces back to investigations launched by the CNIL in January 2023. Those inquiries revealed that, since February 2018, the company had been transmitting the email addresses and telephone numbers of loyalty program members to a social network. That data was then used to target users with advertisements promoting the company’s products.

At the heart of the decision is consent or rather, the lack of it. The company argued that customers had consented when joining the loyalty program and agreeing to receive marketing communications by email or SMS. The CNIL rejected that position. According to the regulator, individuals were never clearly informed that their data would be shared with a social network for targeted advertising purposes, either at the point of sign-up or through accessible, intelligible documentation on the company’s website.

The restricted committee found that information available online was fragmented, vague, or incomplete. In some cases, it did not mention the data transfer at all; in others, it failed to explain the purpose behind it. Accessing the relevant documents also required navigating a complex set of pages. The CNIL concluded that customers could not have provided explicit and informed consent. This is something that would have required a clear, unambiguous mechanism, such as a dedicated opt-in checkbox explaining the advertising use.

Transparency failures did not stop there. The CNIL also found that the company had breached its duty to properly inform data subjects. Privacy information on the website did not clearly link processing purposes to their legal bases, omitted key details such as retention periods, and in some cases was simply wrong. Notably, references were made to the Privacy Shield framework, despite its invalidation.

The authority also pointed to weaknesses in the company’s security practices. Password complexity rules were deemed insufficient, and the use of the SHA-256 hashing function was considered inadequate for secure password storage. These shortcomings, the CNIL said, exposed users to unnecessary risk.

In addition, the company failed to carry out a data protection impact assessment before launching targeted advertising on the social network. Given the scale of the processing and the combination of personal data involved, the CNIL determined that the activity was likely to pose a high risk to individuals’ rights and freedoms and should have been assessed in advance.

The investigation further uncovered violations related to cookies and trackers. When users visited the company’s website, 11 cookies requiring consent were placed on their devices before any choice had been expressed. Even when users actively refused non-essential cookies, those already placed were not deleted and continued to be read, which is another breach of French data protection rules.

Because the processing concerned individuals in 16 other European countries, the decision was adopted in cooperation with the CNIL’s European counterparts. While the authority chose not to name the company, it opted to publish the decision in full. The restricted committee said the goal was to clarify the rules around targeted advertising on social networks, a practice it noted has become routine across many sectors.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.