The GDPR says no and France’s CNIL has just reminded two companies of that rule, at two very different scales.
📅 On June 26, 2025, the CNIL’s rapporteur recommended a €525 million fine against Google, accused of turning Gmail into a targeted advertising platform without valid user consent.
📩 In practice: email viewing activity was used to generate personalized ads — without clear information, without explicit choice, and without a valid legal basis.
In May, the CNIL fined Caloga, a French email marketing company, €80,000.
🔍 Why? For mass sending of marketing emails to people whose addresses had been collected through product tests or sweepstakes run by partners… without obtaining free, specific, and informed consent for such use.
⚖️ Double standard? Not in the law
📘 Both decisions rely on the same legal foundation, combining GDPR and sector-specific rules:
🟠 Article 6 of the GDPR: data processed without a valid legal basis.
Neither company obtained proper consent for processing data for marketing purposes.
🟠 Article 7 of the GDPR: inability to prove consent.
Poor traceability and ambiguous collection mechanisms led to a clear failure to meet the burden of proof.
🟠 Articles 12 to 14 of the GDPR: failure to provide proper information.
The information given was insufficient, incomplete, or even misleading, especially regarding the advertising purpose of the processing.
🟠 Article L.34-5 of the French Postal and Electronic Communications Code:
Electronic solicitations require prior, express consent, except in the case of an existing commercial relationship.
→ Neither Google nor Caloga qualified for this exemption.
📉 Three shared failures, two business models
In both cases:
👉 The user had no control over their data;
👉 The information was insufficient or misleading;
👉 Monetization relied on strategic opacity.
Whether it’s a global tech giant or a local data marketer, the legal breach is the same: using personal data without honoring the core principles of transparency, fairness, and control.
🧭 A fine line all companies must now walk
These two cases highlight a truth that can no longer be ignored:
➡️ The GDPR doesn’t scale with your company — it applies.
➡️ Consent isn’t implied — it must be proven.
➡️ A “free” service is never exempt from protecting fundamental rights.
Even when the marketing strategy is legacy, integrated, or hidden behind a “seamless” user experience.
🔍 Regulators are now striking at every level
- 👉 From GAFAM to French SMEs;
- 👉 From visible practices to concealed systems;
- 👉 With business models that, despite scale, violate the same principles: transparency, fairness, and consent.
Source : https://www.cnil.fr/fr/sanction-de-80-000-euros-societe-caloga
