Transfer of data to a social network for advertising purposes: the CNIL imposed a fine of €3.5 million

Background information

In January 2023, the CNIL carried out several investigations into the company concerned. It found, in particular, that since February 2018, the company had been transmitting the email addresses and/or telephone numbers of members of its loyalty programme to a social network. This data was used to display targeted advertisements on this network to promote the items sold by the company.

Following these investigations, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR) and the French Data Protection Act. It imposed a fine of €3.5 million on the company. This decision was adopted in cooperation with 16 European counterparts of the CNIL, since data relating to individuals residing in those countries was concerned.

The amount of the sanction considered the seriousness of the breaches identified, two of which relate to fundamental principles of data protection, as well as the high number of individuals affected (more than 10.5 million).

The restricted committee also decided to make its deliberation public. It considered that, since the use of targeted advertising on social networks is a widespread practice among economic operators, it was important to inform the public about the rules applicable in this area, without it being, in this case, necessary to name the company concerned.

Breaches sanctionned

Breach of the obligation to have a legal basis (Article 6 of the GDPR)

The CNIL considered that the targeted advertising operations carried out on the social network, based on the transmission of personal data of loyalty programme members, had no legal basis.

To justify this processing, the company referred to the consent of the individuals concerned, obtained when they joined the company's loyalty programme and agreed to receive marketing communications by SMS and/or email.

However, the CNIL considered that the consent of these individuals had not been validly obtained insofar as:

• no information was provided on the loyalty programme membership form about the transfer of data for targeted advertising on a social network;
• the information provided in the documents accessible from the company's website (in particular the personal data policy) either did not mention the transfer of data to the social network or did not make it clear what the purpose of this data transfer was. This information was insufficient to obtain the informed consent of individuals, and moreover, the process for accessing these various documents was complex.

Therefore, these conditions did not allow individuals to give explicit and informed consent, as could have been achieved, for instancee, by a checkbox clearly stating the purpose of this processing.

A breach of the obligation to inform data subjects (Articles 12 and 13 of the GDPR)

The CNIL noted that the information provided on the company's website was inaccurate, in particular because it did not clearly link the purposes of the processing to the corresponding legal bases. The information was also incomplete on certain points (no mention of the purpose of targeted advertising processing and the retention period for loyalty programme members' data) and/or incorrect (the information on data transfer referred to the Privacy Shield, which is no longer applicable).

A breach of the obligation to ensure data security (Article 32 of the GDPR)

The CNIL found that the rules governing the complexity of user account passwords were not sufficiently robust.

In addition, the restricted committee pointed out that the SHA-256 hash function did not enable a secure storage of passwords.

Failure to carry out an impact assessment (Article 35 of the GDPR)

The company had not carried out a data protection impact assessment (DPIA) before implementing targeted advertising on the social network, even though this processing involved:

• a significant volume of personal data;
• data crossing;

Such processing was likely to result in a high risk to the rights and freedoms of the data subjects and should therefore have been subject to a prior DPIA.

A breach of obligations relating to the use of cookies and trackers (Article 82 of the French Data Protection Act)

Finally, the CNIL found that when a user visited the company's website, eleven cookies subject to consent were placed on their device, even before they had made a choice.

Furthermore, even when the user refused the placement and reading of non-essential cookies, the eleven cookies placed were not deleted from the browser and continued to be read, in violation of the applicable rules.