CALOGA – €80,000 Fine (France, 2025)
CALOGA was fined EUR 80,000 for using misleading practices in obtaining consent for marketing data. This ruling is significant as it shows that companies must be transparent and fair when collecting user data.
What happened
The French DPA fined CALOGA for using misleading consent forms that favored acceptance over rejection of data use.
Who was affected
Individuals whose data was collected for marketing purposes were affected by CALOGA's practices.
What the authority found
The authority found that CALOGA violated multiple GDPR articles by not allowing users to easily withdraw consent and using dark patterns in consent forms.
Why this matters
This case sets a precedent that companies must be clear and fair in how they obtain consent for data use. Businesses should review their consent processes to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
CALOGA (the controller) is a company that carries out commercial marketing operations, as well as acting as a data broker. The controller organizes its processing in four databases. One of the services the controller offered was to carry out e-mail marketing campaigns on behalf of companies. To do this, the controller used data collected by data brokers through entry forms for game contests or online product tests. These forms were misleading because the buttons to accept the use of data subjects’ data was much more prominent than those to reject it (this is also known as dark patterns). The controller relied on prior consent given for the initial collectors, and did not allow the data subject to withdraw consent as easily as they had given it. The DPA carried out an on-the-spot investigation of the company in 2022. On June 2024, the DPA rapporteur informed the controller of its breaches of Articles 5(1)(e), 6(1)(a) and 32 GDPR. The controller responded with two arguments- first, it could not foresee that the DPA’s conclusions, as there were no specific recommendations on direct marketing at the time of the inspection. The controller also argued that it had no role in obtaining consent when the data was first collected, and that the contractual and verification measures for the data collected were sufficient. The DPA considered that CALOGA acted as a joint controller for the purposes of transmitting the data to partners (these partners were considered joint controllers). The DPA first dismissed the controller’s foreseeability argument, stating there were rules applicable to direct marketing and consent for several years, and the recommendations on consent through cookies can serve as a guideline for general collection of consent. The DPA also considered the contractual and verifications measures taken by the controller as insufficient. According to Article 7 GDPR, the controller must prove that the data subject has consented to the data processing concerning th
Violations (4)
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for CALOGA in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 May 2025
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€80,000
GDPRhub ID
gdprhub-9300About this data
Cite as: Cookie Fines. CALOGA - France (2025). Retrieved from cookiefines.eu
Last updated: