This Retailer Shared 10.5 Million Customer Emails With a Social Network for Ads—Without Telling Anyone

What Happened

On December 30, 2025, France's data protection authority CNIL issued a €3.5 million fine against a major retailer for secretly sharing customer data with a social network. The practice had been ongoing since February 2018, affecting more than 10.5 million loyalty program members.

The company transferred customers' email addresses and telephone numbers to the social network for the purpose of targeted advertising. When customers signed up for the loyalty program, they had no idea their contact information would end up being used to target them with ads on social media.

The decision involved coordination with data protection authorities from 16 other European countries, indicating that the data sharing affected customers across the continent.

How the Deception Worked

The CNIL found that customers were never clearly informed about the data transfers. The violations included:

• Loyalty program terms made no mention of data transfers to social networks
• Website information failed to disclose the transfers or their purpose
• Privacy documentation was described as fragmented, vague, or incomplete
• Customers believed they were consenting to loyalty program marketing, not social media ad targeting

This is a textbook case of dark patterns in consent. Customers thought they knew what they were signing up for. In reality, their personal contact information was being sent to a third party platform to build advertising audiences without their knowledge.

Multiple GDPR Violations

The CNIL found several serious violations beyond the undisclosed data sharing:

• No data protection impact assessment: When a company plans to use personal data for targeted advertising at this scale, GDPR requires them to conduct a formal assessment of the privacy risks. The company never did this.
• Inadequate password security: Customer account passwords were protected with weak hashing algorithms that do not meet current security standards.
• Cookie violations: Eleven cookies that required consent were placed on customer computers before any consent was obtained. Some cookies persisted even after customers actively refused them.
• Incomplete privacy notices: The company's privacy documentation omitted required information like data retention periods and referenced the invalidated Privacy Shield framework for international transfers.

The Company's Defense

In response to the fine, the company stated it has never sold the personal data of its customers. It characterized the situation as using one of the advertising services offered by a social network, without releasing the data.

This defense highlights a common disconnect in how companies think about data sharing. The company may not have received direct payment for customer data, but it transferred identifiable contact information to a third party for commercial purposes. Under GDPR, this requires explicit, informed consent, which customers were never given.

Whether you call it selling, sharing, or using a service, the practical effect is the same: customer data ended up with a social network that used it to target those customers with advertising.

What This Means for You

This case illustrates a broader problem with loyalty programs. When you sign up for a store's rewards card, you may think you are just getting discounts in exchange for letting the store track your purchases. But your email address and phone number can end up being shared with advertising platforms you never agreed to engage with.

The data flowing from loyalty programs to social networks enables what is called custom audience targeting. Advertisers upload lists of email addresses or phone numbers, and the social network matches them against its users. If your contact information is on that list, you start seeing ads from that company in your social feed, even if you never interacted with them online.

Consider these steps to protect yourself:

• Use a dedicated email address for loyalty programs that you do not use for personal communication
• Read privacy policies carefully, looking for mentions of third party sharing or advertising
• Exercise your right to object to data sharing for marketing purposes under GDPR
• Periodically request what data companies hold about you and ask for deletion of data you did not explicitly consent to share

The Enforcement Trend

This fine is part of a growing pattern of GDPR enforcement against hidden data sharing for advertising. Regulators are increasingly scrutinizing the gap between what privacy notices claim and what actually happens with customer data.

The €3.5 million fine may seem modest for a major retailer, but the reputational damage and the requirement to change practices can have lasting effects. For consumers, these enforcement actions provide a rare window into how their data is actually being used behind the scenes.

The message is clear: consent must be specific and informed. Burying data sharing practices in vague terms or failing to mention them entirely is no longer acceptable.