CNIL sanctions unauthorized disclosure of loyalty data to social media for advertising purposes
Update Data Protection No. 239
The French data protection authority CNIL has sanctioned a company for extensive GDPR violations with a total of €3.5 million, of which €2.5 million is for GDPR violations and €1 million is for cookie violations under French law implementing the ePrivacy Directive.
The focus of the decision is particularly relevant in practice: the company had transferred data from more than 10.5 million members of a bonus or loyalty programme to a social media platform for targeted advertising without ensuring a sound legal basis for doing so. The decision was adopted in a consistency procedure involving 16 other supervisory authorities.
Facts
According to the CNIL's findings, between late 2018 and February 2024, the company transferred personal data of members of its loyalty programme to an unnamed social media platform, in particular email addresses and telephone numbers. The platform matched these identifiers with its users and, in the event of a match, displayed personalized advertisements promoting the company's products.
Even though, according to the CNIL, only around 1.6 million data records could be assigned to a social media account and subsequently received advertising, the CNIL already considered the transfer of data from over 10.5 million individuals to be an independent, unlawful processing operation.
Key statements by the CNIL
1. No effective consent for disclosure to social media
The CNIL criticized that the consent of loyalty programme members was only directed at receiving advertising via text message and email. According to the CNIL, there was no separate, informed consent for the transfer of identifiers to third parties for advertising purposes. This meant that the necessary legal basis was lacking.
2. Platform consent does not replace consent from the advertising company
The company argued that social media users had given their consent by accepting the platform's privacy policy. The CNIL clearly rejected this for two reasons:
- Not all data subjects whose data was transferred had a social media account at all.
- Even for users, any consent only referred to processing by the platform in its own context and not to the upstream data transfer by the company.
This distinction is central to common advertising setups. Advertising companies that transfer data to social media must establish and document the legal basis for doing so themselves.
3. DPIA obligation for large-volume, cross-company linking
The CNIL classified the targeting as high-risk, particularly due to the large amounts of data and the cross-linking between companies. A required data protection impact assessment was missing.
4. Information obligations under Art. 13 GDPR
The CNIL criticized incomplete information, including a lack of clear assignment of processing activities to their perspective legal bases and information on storage periods. In addition, it objected that information on data transfers to the US was not up to date, as reference was still made to the EU-US Privacy Shield, even though this had already been declared invalid at the time.
5. Security deficiencies in passwords
The CNIL considered the password requirements to be insufficient. In addition, the storage was deemed unsuitable because it made passwords more vulnerable.
6. Cookie violations after ePrivacy implementation
According to the CNIL's findings, the company set several non-essential cookies before a consent decision was made and did not reliably delete certain cookies even after they were rejected.
7. Remedial action does not protect against sanctions
The CNIL acknowledged that the company had made extensive remedial improvements during the proceedings, including terminating transmissions, adjusting cookies, updating information, and switching to stronger password hashing. Nevertheless, substantial fines were imposed.
Implications for practice
The decision addresses a pattern that is very common in consumer goods, retail, and loyalty ecosystems: CRM and loyalty programme data are provided to social media as identifiers in order to match existing customers on the platform and then serve advertising. It is precisely at this interface that the greatest compliance risks regularly lie.
The CNIL makes it clear that obtaining general marketing consent or referring to platform documentation is not sufficient for legality. Data transfer to social media is a separate processing step that requires a separate legal basis, robust transparency, and a risk-adequate governance setup.
What companies should do now
Separate and clarify consent design: Consent for direct marketing via email or SMS does not automatically constitute consent for the transfer of identifiers to social media. Anyone who wants to base this transfer on consent needs separate, clear, and verifiable consent that describes the data flow to the platform and the purpose of the matching in a comprehensible manner.
Fully document social media data flow: Technical design, data categories involved, matching logic, recipients, third-country references, and storage periods must be consistently reflected in directories, information obligations, and internal approvals.
DPIA check for targeting and matching use cases: In the case of large-volume inventories and cross-company links, it is necessary to check at an early stage whether a data protection impact assessment is required.
Update and operationalize information texts: Data protection notices should describe the specific processing in such a way that data subjects understand what is happening. This includes clear legal basis assignment, storage periods, and current information on third-country transfers, where relevant.
Ensure cookie compliance from a technical perspective: Non-essential cookies may only be set after effective consent has been given. Refusals must also be enforced from a technical perspective, including deletion mechanisms and regular tests.
Do not neglect security basics: Password requirements and secure storage remain standard points of attack. Even though the decision focuses on marketing, the case shows that supervisory authorities regularly review the entire compliance setup in such proceedings.
Conclusion
The CNIL decision is a clear message to companies with loyalty and CRM-driven marketing: the transfer of customer identifiers to social media is not a minor issue, but a central compliance block with high potential for fines. Particularly important is the key message that neither general marketing consents nor the acceptance of platform policies can replace the company's own legal basis for the transfer. Ex-post corrections may mitigate follow-up measures, but they do not necessarily prevent severe sanctions for past actions.
