Data protection authorities across Europe have recently imposed significant fines on companies for violations of data protection laws. We bring to your attention decisions related to breaches of direct marketing and profiling below.

A telecommunications company fined €50 million by the French Supervisory Authority

On 23 January 2025, the French Supervisory Authority (CNIL) fined a telecommunications operator €50 million for displaying advertisements via email to users without obtaining consent for direct marketing and placing cookies on user devices despite their rejection of cookies. CNIL found these activities violated the below:  

• Article L. 34-5 of the French Post and Electronic Communications Code: obligations to obtain the consent of individuals to receive commercial prospecting by electronic means
• Article 82 of the French Data Protection Act: requires cookies not to be read after a user has withdrawn consent.

As a result, CNIL imposed a fine of €50 million and an order for the company to stop reading cookies within three months of a user withdrawing consent, with a penalty of €100,000/day for non-compliance.

KASPR fined €200,000 by French Supervisory Authority

KASPR, a technology company that gives paying customers access to the contact details of LinkedIn professionals, was fined €200,000 by CNIL. The database contains around 160 million contacts which KASPR customers use to contact individuals for commercial prospecting, recruitment and identity verification.

CNIL investigated several complaints from individuals who had been canvassed by entities that had obtained their contact details via the KASPR extension. The investigation found the following GDPR violations:

• Article 6 of the GDPR: LinkedIn users can limit the visibility of their profiles to their 1^st and 2^nd connections. However, CNIL found the indiscriminate collection of contact details by KASPR, without due consideration of this visibility limitation, a breach.
• Article 5(1)(e) of the GDPR: KASPR’s retention of user details for five years after the individual had changed their job or employer was found to be disproportionately long and in breach.
• KASPR delayed informing data subjects about the processing of the personal data for four years. When it finally did, the opt-out link was only available in English. CNIL found both points were in breach of articles requiring transparency in data processing.

As a result, CNIL ordered KASPR to do the following:

• Cease collecting the personal data of individuals who chose to limit the visibility of their contact details and delete all data collected in this manner. If distinguishing the data of individuals who had limited the visibility of their contact details was not possible, KASPR must contact all concerned individuals, within 3 months of processing the data, offering them the chance to object to the processing.
• Stop the automatic renewal of personal data storage.
• Inform individuals whose data was collected about the processing activity.
• Respond to subject access requests from individuals.

KASPR was fined €200,000 and given a six-month window to comply with these measures.