Back to news

CNIL: €3.5 million fine for sharing customer data with a social network

· Waulter team
CNIL GDPR fine cookies consent marketing targeted advertising

What happened

On December 30, 2025, France's data protection authority CNIL imposed a €3.5 million fine on Intersport for multiple GDPR and cookie violations. The decision was made public on January 22, 2026.

Since February 2018, the company had been regularly transferring email addresses and phone numbers of its loyalty program members to a social network for targeted advertising. More than 10.5 million individuals were affected.

Five key violations

1. Data transfer without legal basis

Intersport shared customer personal data with a social network for matching with user accounts and ad targeting. The company cited consent obtained during loyalty program registration, but customers were never clearly informed that their data would be shared with a social network for advertising purposes.

Consent to receive marketing emails and SMS does not equal consent to share data with third parties for social network advertising.

2. Incomplete processing information

The loyalty program registration form contained no information about data transfers to the social network. Website documentation either failed to mention the transfers or did not clearly state their purpose. Without proper information, consent cannot be valid.

3. Inadequate password security

The company used only SHA-256 for password storage. CNIL found this insufficient — the state of the art requires slow hash functions like Argon2 or bcrypt that are more resistant to brute-force attacks.

4. Missing DPIA

Intersport failed to conduct a Data Protection Impact Assessment (DPIA) before deploying targeted advertising on the social network, even though this involved large-scale processing of data from multiple sources with high risk to data subjects' rights.

5. Cookies without consent — even after refusal

Eleven cookies requiring consent were set on users' devices before they had made a choice. When users refused non-essential cookies, the cookies were not deleted and continued to be read.

This is a direct violation of ePrivacy rules — and exactly the type of problem a properly configured CMP eliminates.

Fine breakdown

Violation Amount
GDPR breaches (Art. 5, 13, 25, 32, 35) €2,500,000
Cookie violations (ePrivacy) €1,000,000
Total €3,500,000

The decision was adopted in cooperation with 16 European supervisory authorities, as data from individuals in multiple member states was involved.

What this means for businesses

This case is a warning for any company that:

  • Shares customer data with ad platforms — Facebook Custom Audiences, Google Customer Match, and similar tools require explicit, informed consent.
  • Relies on "general" marketing consent — email marketing consent does not cover sharing data with third parties.
  • Has a poorly configured cookie banner — cookies set before consent or persisting after refusal are direct violations.

Cross-border reach

CNIL can fine companies based outside France if they process data of French citizens. Coordination with 16 DPAs demonstrates that cross-border enforcement works.

How to protect yourself

  • A cookie banner that actually blocks — no cookies before consent, no cookies after refusal.
  • Transparent information — clearly state who you share data with and why.
  • DPIA before deployment — large-scale processing from multiple sources requires a mandatory impact assessment.
  • Modern security — bcrypt or Argon2 for passwords, encryption at rest and in transit.

Waulter CMP ensures that no cookies are set on your website without valid consent — and completely removes them after refusal. The crawler automatically verifies that no trackers appear before consent.


Sources: CNIL — decision of December 30, 2025 (published January 22, 2026), DataGuidance, CyberNews, Aphaia, Forvis Mazars

Want to keep consent under control?

Waulter CMP helps you with consent management, GDPR compliance, and personal data protection.