Deliberation SAN-2025-001 of 15 May 2025
As part of its control program for 2022, the CNIL had announced that it would be focusing part of its investigations on direct marketing practices, in particular those of intermediaries specializing in the compilation and resale of contact files, commonly known as data brokers. The first sanction decision published by the CNIL in 2025 (May 21) is part of this dynamic. Based on a concrete case, it confirms the conditions under which direct marketing can be carried out using indirectly collected data.
The Data Processing in Question
The sanctioned operator offers two types of services to its advertising customers: on the one hand, the execution of electronic direct marketing campaigns on behalf of its customers (SMS, e-mails); on the other, the provision of data segments for the purpose of carrying out telephone or postal marketing operations by customers. In both cases, the personal data in question is initially collected by several third-party brokers, from whom the operator sources data. The operator then aggregates the data into a single database, which it controls entirely.
In this case, the CNIL noted that the operator determines the criteria for setting up its database, the sources used, the data collected and the storage conditions. It also defines, in its contractual terms and conditions, the cases in which data may be used by its customers, for maketing purposes. Under these circumstances, the operator was considered the data controller, both for the database creation and for the direct marketing activities it performed itself (on behalf of its customers), as well as for transmitting data to customers for their own telephone or postal marketing campaigns.
Beyond the operator’s individual responsibility – the sole subject of the sanction – the CNIL’s restricted panel emphasized that every actor involved in the data processing chain – be it the original collector, the sanctioned operator, or its customers – remains responsible for the legality of the operations in which they participate. In particular, with regard to customers, the committee did not rule out the possibility that they could be considered joint controllers for certain processing activities, though it did not expressly decide on that point.
Electronic Marketing: Failure to Obtain Valid Consent
The facts and the analysis of the restricted panel in this new case are very similar to three other CNIL deliberations concerning personal data brokers and their customers (deliberations SAN-2023-025 of December 29, 2023, SAN-2024-003 of January 31, 2024 and SAN-2024-004 of April 4, 2024).
In the present case, the operator based its electronic marketing campaigns on the consent obtained by its broker partners, via online forms integrated into online competitions and product tests. CNIL’s analysis of these forms revealed several major flaws:
- Most forms were designed around a single button (“I PARTICIPATE”, “I VALIDATE”, etc.), which both validated registration for the game and accepted the transmission of data to partners. A link was provided to allow participation without transmitting data, but this was presented in smaller font, inserted in a paragraph with no particular emphasis.
- Other forms featured two buttons (“I VALIDATE” / “I REFUSE”), but the consequences of each were not clearly explained. In particular, the wording “I REFUSE” could give the impression that the user was giving up participation in the game, when it actually meant participating without data sharing.
Unsurprisingly, the restricted panel considered that these forms, which were representative of dark designpractices, did not enable users to express free, specific and unambiguous consent.
Although the operator did not design these forms, as data controller it should have ensured the validity of the consent it was relying on. The restricted panel reiterated that it is not sufficient to rely solely on contractual provisions requiring data providers to obtain valid consent. It is also necessary to carry out concrete audits and draw appropriate conclusions. In this case, the operator had carried out verifications, but these had been rather late and, above all, the operator had continued to use the audited brokers even though it was clear that the collection forms used were non-compliant.
The CNIL therefore found that the company had failed to comply with the provisions of article L34-5 of the French Post and Electronic Communications Code, which requires prior consent for electronic marketing operations.
In the case of another data broker, the operator had never received a response to its requests for verification of the conditions under which consent had been obtained. In the absence of any information, it was unable to provide proof of this – even though it continued to use the data supplied by this broker. As a result, the restricted panel found a breach of Article 7 of the GDPR, which requires the data controller to demonstrate the existence of valid consent when it constitutes the legal basis for processing.
Transmission of Data for Postal or Telephone Marketing: Partially Valid Use of Legitimate Interest
The operator offered its customers access to targeted segments from its database, with a view to enabling the latter to conduct postal or telephone marketing campaigns themselves. These transmissions were based on Article 6(1)(f) of the GDPR, relating to legitimate interest.
The CNIL’s restricted panel carried out a differentiated analysis depending on the source of the data concerned.
On the one hand, some of the data came from a telephone directory, a partner of the operator:
- The CNIL pointed out that these data are published by telephone operators in compliance with regulatory obligations (in particular, pursuant to article R.10 of the French Post and Electronic Communications Code), and that they are intended to be freely consultable by third parties, unless the data subjects opt-out. The reuse of this data for commercial marketing purposes can, in this context, be reasonably anticipated by data subjects who have not opted-out (the directory publisher having guaranteed that it has removed the opt-outs from the data transmitted to the entity audited by the CNIL).
The restricted panel considered that, as far as these specific data are concerned, the conditions for relying on legitimate interest are met: the purpose pursued is lawful, the processing is necessary, and the rights of individuals do not appear to prevail.
- However, the panel expressly recalled that the validity of the use of legitimate interest in this case did not exempt compliance with the other obligations of the GDPR, particularly with regard to informing data subjects and their right to object.
In particular, it emphasized that when data is transmitted successively – from the initial collector to the intermediary, and then to its own customers – data subjects must be informed of the existence of these indirect recipients. This information can be provided either by the initial collector, or by the successive recipients, provided that it enables individuals to understand the extent of the circulation of their data.
In the case under consideration, the restricted panel was unable to establish with certainty whether the information relating to second-tier recipients had been correctly provided, but it did not find any breach on this point, as the grievance examined related solely to the legal basis of the processing. However, it pointed out that this absence of failure does not constitute validation of the information practices implemented, and invited the operator to reassess its information procedures in this respect.
On the other hand, some data came from entries to competitions and product tests:
- First of all, the restricted panel pointed out that the consent obtained by first-time collectors was not valid, due to the design of the forms used. This legal basis could therefore not be used to transmit the same data to the operator’s customers.
- Moreover, although individuals may have been informed that their data had been passed on to the intermediary operator, they were not given any information about the possibility of this data being passed on to third parties, in this case the operator’s customers. In this context, individuals could not reasonably anticipate such reuse, which ruled out the possibility of basing such processing on legitimate interest. Consequently, the transmission of data by the operator to its customers had no legal basis in compliance with the GDPR.
Penalties imposed
The CNIL imposed an administrative fine of 900,000 euros on the operator, as well as an injunction to bring its processing to compliance within nine months, subject to a penalty of 10,000 euros per day of delay. In particular, the CNIL found that the operator had been negligent in continuing to use its partners’ data for several months, even though its own checks had revealed that the latter were using illicit means of data collection. The decision has also been made public by the CNIL.
This decision highlights the need for vigilance on the part of companies using the services of data brokers. In this highly reasoned decision, the CNIL reaffirms that outsourcing certain processing operations does not allow data controllers to absolve themselves of compliance with the rules applicable to them, particularly in terms of legal basis, information to individuals and ability to demonstrate the lawfulness of processing.
