CALOGA – €80,000 Fine (France, 2025)
CALOGA was fined €80,000 for using misleading consent forms that made it hard for users to opt out of data sharing. The company used dark patterns to manipulate consent choices, which is against data protection rules. This case shows that businesses must be transparent and fair in how they obtain consent.
What happened
CALOGA used misleading forms that made it easier for users to accept data sharing than to refuse it.
Who was affected
Individuals who interacted with CALOGA's consent forms and had their data used for marketing.
What the authority found
The French data protection authority found that CALOGA violated GDPR by using dark patterns and not allowing easy withdrawal of consent.
Why this matters
This ruling serves as a warning to businesses about the importance of clear and fair consent practices. Companies should avoid manipulative tactics and ensure users can easily manage their consent.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
CALOGA (the controller) is a company that carries out commercial marketing operations, as well as acting as a data broker. The controller organizes its processing in four databases. One of the services the controller offered was to carry out e-mail marketing campaigns on behalf of companies. To do this, the controller used data collected by data brokers through entry forms for game contests or online product tests. These forms were misleading because the buttons to accept the use of data subjects’ data was much more prominent than those to reject it (this is also known as dark patterns). The controller relied on prior consent given for the initial collectors, and did not allow the data subject to withdraw consent as easily as they had given it. The DPA carried out an on-the-spot investigation of the company in 2022. On June 2024, the DPA rapporteur informed the controller of its breaches of Articles 5(1)(e), 6(1)(a) and 32 GDPR. The controller responded with two arguments- first, it could not foresee that the DPA’s conclusions, as there were no specific recommendations on direct marketing at the time of the inspection. The controller also argued that it had no role in obtaining consent when the data was first collected, and that the contractual and verification measures for the data collected were sufficient. The DPA considered that CALOGA acted as a joint controller for the purposes of transmitting the data to partners (these partners were considered joint controllers). The DPA first dismissed the controller’s foreseeability argument, stating there were rules applicable to direct marketing and consent for several years, and the recommendations on consent through cookies can serve as a guideline for general collection of consent. The DPA also considered the contractual and verifications measures taken by the controller as insufficient. According to Article 7 GDPR, the controller must prove that the data subject has consented to the data processing concerning th
Violations (4)
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for CALOGA in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 May 2025
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€80,000
GDPRhub ID
gdprhub-9300About this data
Cite as: Cookie Fines. CALOGA - France (2025). Retrieved from cookiefines.eu
Last updated: