French regulator fines company €3.5M over data sharing and tracking cookies

Published: 23 January 2026
Last updated: 23 January 2026
french flag crushing cookies
Image by Cybernews.

The French data protection and privacy regulator has fined an unnamed company €3.5 million for sharing customer data with a social media platform without consent, allowing users to create weak passwords, using the SHA-256 hashing algorithm, and installing tracking cookies without consent.

According to the Commission Nationale de l’Informatique et des Libertés (CNIL), the unnamed company has been sharing the email addresses and telephone numbers of its loyalty program members on a social networking platform since February 2018. This information was used to show personalized ads promoting items sold by the company.

However, customers were not informed about the data transfer or its purpose, which constitutes a violation of Articles 12 and 13 of the General Data Protection Regulation (GDPR).

ADVERTISEMENT

On top of that, the company failed to conduct a data protection impact assessment (DPIA) before processing and sharing this data with the social network, in violation of Article 35 of the GDPR.

Furthermore, the CNIL noted that the company allowed users to implement user account passwords that were “insufficiently robust.”

Passwordless authentication
Image by Cybernews

Also, the company used the SHA-256 hashing algorithm, which, according to the French DPA, didn’t allow secure storage of passwords. This is an infringement of Article 32 of the GDPR, which handles the security of processing personal information.

Lastly, the CNIL notes that as soon as a user visited the company’s website, 11 tracking cookies were installed on their device, even before the cookie consent prompt appeared on screen. Even when a user rejected these cookies, they were installed anyway. In addition, they were not deleted from the browser and continued to be read, thereby infringing Article 82 of the Data Protection Act.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The decision to issue a €3.5 million fine was adopted in cooperation with 16 European data protection authorities. The amount of the sanction is based on the seriousness of the shortcomings and the large number of people affected by these violations (over 10.5 million).

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT