Social media advertising: the French DPA sanctions the transmission and combination of data for targeting purposes without valid information and consent

CNIL deliberation no. SAN-2025-017 of December 30, 2025

In a decision dated December 30, 2025, made public on January 22, 2026, the French data protection authority (“CNIL”) imposed an administrative penalty of €3.5 million on a company operating a loyalty program for several breaches of the requirements of the GDPR. The decision relates to widespread practices: the transmission and combination of personal data with that of a social network for advertising targeting, carried out in this case without valid consent and without adequate information being provided to the individuals concerned.

An ad targeting mechanism based on the use of customer loyalty data

The sanctioned company had, on a regular basis for several years, transmitted the email addresses and/or telephone numbers of members of its customer loyalty program to a social network, in order to enable those data to be matched with user accounts on the platform.

This operation pursued a dual objective: to display targeted advertisements to customers already identified as members of the loyalty program, but also to reach social network users with “similar” profiles (so-called “lookalike audience”).

This is a widely used advertising practice, which explains why the CNIL, although it removed the name of the sanctioned company, considered it necessary to make its decision public.

The CNIL recalls that, in accordance with the EDPB guidelines on the targeting of social media users, the entity that actively decides to transmit data to a social network for advertising purposes determines the purposes and the essential means of the processing. It must therefore be regarded as the controller of the targeted advertising processing carried out on the social network.

In this decision, the CNIL does not rule on the exact role played by the social media platform. It follows from the decision that the company presented the platform as a mere processor for the transmission and matching of the data, and as a joint controller only for the display of targeted advertisements.

However, it cannot be excluded that a situation of joint controllership could have been recognized by the CNIL for the initial matching phase, in light of the platform’s active involvement in the essential means of the processing, in particular the performance of data combination operations and the identification of similar profiles within its own databases.

Lack of valid consent

With regard to the legal basis, the company argued that the processing was based on the consent of the individuals concerned, obtained when they joined the loyalty program and agreed to receive commercial prospecting messages by email or SMS.

The CNIL rejected this analysis. In particular, it noted that:

  • At the time of the membership form, there was no explicit mention of the transmission of data to a social network or its use for targeted advertising on a third-party platform.

  • The documents accessible via secondary links (privacy policy, program terms and conditions) either did not mention this transfer or did so in terms that were too general to enable individuals to understand the exact purpose of the processing.

  • The process for accessing the information was particularly complex, which prevented truly informed consent.

The decision further clarifies that consent obtained on the social media platform applies only to the processing operations performed on that platform and cannot substitute for the consent that must be obtained by the advertiser for the prior disclosure of the data.

Under these circumstances, the CNIL considers that the consent invoked could not be specific or informed within the meaning of Article 4.11 of the GDPR and the established case law of the CJEU.

The mere fact of agreeing to receive commercial offers cannot, in itself, constitute consent to the combination of data from a loyalty program with that of a social network in a separate advertising ecosystem.

The argument based on the pseudonymization of the transmitted data through prior “hashing” was also rejected: the CNIL pointed out that hashing does not exempt companies from the requirement to have a legal basis or to provide adequate information. The decision also noted that the telephone numbers were transmitted in plain text. Thus, the requirements relating to the legal basis and information remained fully applicable.

Failure to provide clear and accessible information to data subjects

Beyond the absence of a legal basis, the CNIL found an independent breach of the information obligation provided for in Articles 12 and 13 of the GDPR.

The information provided to members of the loyalty program did not allow them to clearly identify:

  • The existence of a transfer of their data to a social network, as well as the latter’s joint responsibility for displaying advertisements.

  • The specific purposes pursued (advertising targeting and the creation of similar audiences).

  • The practical consequences of this transfer on the display of personalized advertisements.

The CNIL emphasizes that fragmented information, scattered across several documents and formulated in an imprecise manner, does not meet the transparency requirement set out in the GDPR, particularly when the processing operations in question are likely to have a significant impact on individuals’ privacy.

The CNIL also notes that at the time of the inspection (January 2023), the legal bases for the processing were not given by purpose, the retention periods under the loyalty program were not indicated, and the references to international transfers still referred to the Privacy Shield (now obsolete), prior to an update to the Data Privacy Framework on June 20, 2025.

Additional breaches: security and impact assessment

The decision is not limited to issues of consent and transparency. The CNIL also notes:

  • Security: A breach of Article 32 of the GDPR due to insufficient security measures surrounding access to customer accounts on the website, which gave access to a large volume of personal data (identity, contact details, date of birth, loyalty data). During the online audit, it was found that the password policy allowed passwords consisting of eight characters with the sole requirement of including a number, which led to a level of entropy well below the recommendations of the CNIL and ANSSI (approximately 26 bits, instead of the recommended minimum of 50 bits). In a context involving the processing of data relating to more than ten million people, the select committee considers that these requirements were clearly insufficient to prevent the risk of unauthorized access.

The CNIL also notes that passwords were stored using the SHA-256 hash function, which, although accompanied by a salt, was not suitable for secure password storage due to its speed of execution. It points out that the state of the art requires the use of slow hash functions specifically designed for this purpose (such as Argon2 or bcrypt) in order to limit the effectiveness of brute force or dictionary attacks in the event of a compromise. Although the company complied during the proceedings, these shortcomings characterize, for the period audited, a failure to comply with the obligation to ensure a level of security appropriate to the risks.

  • DPIA: A breach of the obligation to carry out a data protection impact assessment (DPIA), even though the targeted advertising operations were based on large-scale processing, involving the combination of data from different sources and concerning several million people (approximately 10.5 million in this case).

Cookies and trackers: a separate fine of €1 million

Independently of the targeted advertising processing on the social network, the CNIL sanctioned the company for breaches of the rules applicable to cookies and trackers, on the basis of Article 82 of the French Data Protection Act.

Following the online inspection on January 5, 2023, the CNIL noted that several cookies subject to consent had been stored before consent had actually been obtained, and that certain trackers continued to be read despite the user’s refusal.

According to the CNIL, these practices justify the imposition of a specific fine of €1 million, separate from the fine imposed for breaches of the GDPR.

A decision recalling the rules governing targeted advertising on social networks

By making this decision public, the CNIL wanted to send a clear reminder to economic players who use targeted advertising on social networks, which is a very widespread practice. In particular, the decision illustrates that data collected as part of loyalty programs cannot be used for diversified targeting strategies without the separate, explicit, and properly informed consent of the individuals concerned.