CNIL has imposed a €3.5 million fine on a company for transferring loyalty programme member data to a social network for advertising targeting purposes without valid consent.
The authority states that, since February 2018, the company transmitted email addresses and/or telephone numbers of loyalty members to a social network to create targeting audiences, and that the consent basis relied upon was not valid for this use.
The decision was adopted on 30 December 2025 and published by CNIL on 22 January 2026, in cooperation with multiple European counterparts.
Acompli perspective: Customer 'relationship' data is not a free pass. If you build advertising audiences from loyalty datasets, regulators will scrutinise disclosure, lawful basis, and whether consent is demonstrable for that specific targeting use. Strengthen your data transfer compliance practices, assess vendor relationships involved in data sharing, and understand the regulatory enforcement consequences of getting it wrong.