Home

Internal

Global

Contact

de|en|it

RÖDL strengthens its market position in Austria with the Causa team of 28 professionals |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Online targeted advertising: a high-risk practice when compliance falls short

published on 27 January 2026 | reading time approx. 5 minutes

Online targeted advertising is hardly not a new issue. It was in fact identified by the French data protection authority (CNIL) as a priority topic for 2019 and 2020¹, and subsequently taken up by the European Data Protection Board (EDPB) in 2021 through the publication of its Guidelines on the targeting of social media users².

And yet, in late December 2025, CNIL made headlines by imposing a staggering Euro 3.5 million fine on a company for unlawfully transmitting contact data of loyalty-program members to a social media platform for targeted advertising purposes!

Almost eight years after the GDPR came into force and six years after data protection authorities publicly set out the legal framework, risks, and safeguards governing this widespread commercial practice, what types of conduct can still draw authorities’ attention and justify such a significant sanction? What measures should the sanctioned company have implemented or corrected to ensure compliance and protect the rights of such customers?

In the case at hand, between 2018 and 2023, a company had transferred the email addresses and/or phone numbers of 10.5 million(!) loyalty-program members located in multiple countries to a social media platform. These data were used to display targeted advertisements on that platform to promote said company’s products.

Following investigations, the CNIL (acting in cooperation with 16 other European supervisory authorities) found that the company had breached several obligations under the General Data Protection Regulation (GDPR) and the French Data Protection Act³. Given the seriousness of the breaches and the very large number of individuals concerned, the authority concluded that a Euro 3.5 million fine was warranted.

The investigation identified the following material deficiencies.

The invalid required data subjects’ consent to the transfer of their personal data to a social media platform, for targeted advertising purposes

To justify the data sharing, the company relied, on the one hand, on the consent allegedly given when individuals joined its loyalty program by agreeing to receive marketing communications by email and/or SMS, and, on the other, on the fact that those individuals had accepted the concerned social media platform’s terms of use and privacy policy, which allow advertisers to display targeted ads.

The CNIL rejected both arguments. It found that consent was not validly obtained because:

the loyalty program sign-up form made no mention of any data transfer for targeted advertising on a social media platform;
the information available on the company’s website (notably in its privacy policy) either failed to mention any transfer altogether or did not clearly explain its purpose; in any event, the information was too vague and further too difficult to access to support informed consent;
consent given to the social media platform cannot replace the consent that the company itself, as data controller, was required to obtain beforehand.

In short, customers were never given a genuine opportunity to give explicit and informed consent to such transfer and purposes. Something as simple and effective as a clearly worded opt-in checkbox could have made all the difference.

Not properly informed data subjects

The information provided on the company’s website was found to be deficient on several counts.

It was imprecise, as it failed to clearly link each processing purpose to its specific legal basis; incomplete, as it did not mention the targeted advertising purpose or the retention period for loyalty-program data; and inaccurate, as it still referred to the EU–US Privacy Shield, which is no longer in force.

As a result, data subjects were not given a clear, reliable or meaningful understanding of how their data would actually be used.

This first shortcoming could easily have been avoided by updating the compliance documentation, which is not a one off requirement but an ongoing obligation over time.

Inadequate data security measures

The CNIL found that the password complexity rules for user accounts were not sufficiently robust. It also reiterated that the use of the SHA-256 hashing function does not provide an appropriate level of security for password storage.

To align with recognized cybersecurity best practices and ANSSI guidance (the French National Cybersecurity Agency), the company should have implemented a stronger password policy and adopted modern authentication safeguards, measures that are straightforward to implement and fully documented by ANSSI⁴.

No data protection impact assessment (DPIA) carried out

The company failed to conduct a DPIA before launching its targeted advertising program, even though such an assessment was clearly required.

This data processing involved (i) a large volume of personal data and (ii) the matching of these data with the profiles of social media users, creating a high risk to the rights and freedoms of individuals.

DPIAs are still too often overlooked by companies, which should be aware that they are mandatory for many types of processing.

For guidance, the CNIL:

identifies 14 types of processing operations for which a DPIA is mandatory;
adopts the list of operations likely to result in high risk to individuals’ rights and freedoms, based on the nine criteria from the Article 29 Working Party guidelines — if two or more criteria are met (which is quite common), a DPIA must be conducted.

It is also worth noting that an updated EU-wide list of high-risk processing operations is expected soon under the forthcoming “Omnibus” reforms, further emphasizing the importance of proactive risk assessment.

Cookies and trackers placed without consent

When users visited the company’s website, 11 consent-based cookies were placed on their devices before they had expressed any choice.

Even when users refused non-essential cookies, those 11 cookies were neither deleted nor deactivated and continued to be read, in clear breach of the applicable French and European rules.

Companies must bear in mind that a compliant cookie banner is meaningless if cookies are still dropped before consent or kept after refusal. This area will evolve further with the CNIL’s 2026 recommendations⁵ and the forthcoming Digital Omnibus package, making regular audits indispensable.

Targeted advertising can be highly effective, but as it uses personal data for purposes that differ significantly from customer database management, it must be designed, documented and operated in full compliance with the principles of lawfulness, transparency, security and accountability set out in the GDPR.

It is essential to stay informed and proactive, in particular by reviewing your compliance documents and practices in this regard and updating them regularly. We remain at your disposal for this purpose, as well as to answer any questions you may have about GDPR-compliant advertising.

[1] https://www.cnil.fr/fr/ciblage-publicitaire-en-ligne-quel-plan-daction-de-la-cnil

[2] https://www.edpb.europa.eu/system/files/2021-/edpb_guidelines_082020_on_the_targeting_of_social_media_users_fr_0.pdf

[3] « Loi informatique et Libertés »

[4] https://messervices.cyber.gouv.fr/documents-guides/anssi-guide-authentification_multifacteur_et_mots_de_passe.pdf

[5] https://www.cnil.fr/fr/cookies-et-autres-traceurs-recommandations-finales-sur-le-consentement-multi-terminaux