A large European sports chain had been sharing email addresses and phone numbers from its loyalty program with a social network since 2018. The purpose was targeted advertising – customers received ads for the chain's products in their feed. 10.5 million people were affected.
The French data protection authority CNIL found three violations. Firstly, the practice lacked a valid grounds for treatment — The customers had never consented to their data being used for social media advertising. Secondly, the customers were not informed that the data was shared further. The loyalty program sign-up form did not mention it. Thirdly, tracking cookies were placed without consent.
The CNIL cooperated with 16 European data protection authorities in the case and fined the chain 3.5 million euros.
**Practical point:**
Is your marketing department uploading customer lists to Facebook, Instagram, or LinkedIn to display targeted ads? Check two things — did the customers specifically consent to this, and does it state this in the privacy policy? If the answer to either is no, you're doing the same thing that cost this chain 3.5 million euros.
Inspired by: CNIL