Court case 490202 – Court Ruling (France, 2025)
A French court ruled that Canal+ Group failed to get proper consent from users for marketing emails. This is important because it emphasizes that companies must clearly ask for permission before using people's data. Small businesses should review their consent practices to avoid similar issues.
What happened
Canal+ Group used personal data for marketing without obtaining valid consent from users.
Who was affected
Approximately 3.9 million people whose data was used for electronic marketing by Canal+ Group without their explicit consent.
What the authority found
The court found that Canal+ Group did not comply with GDPR's consent requirements for electronic marketing.
Why this matters
This case sets a precedent for how consent must be obtained and highlights the need for clear communication with users about data use.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2021, the Canal+ Group (controller) carried out commercial prospecting by electronic means, targeting approximately 3.9 million people. The controller did not directly seek the consent of the persons concerned. Instead, they contacted people whose personal data and consent for marketing purposes had already been collected by two partner internet service providers (ISPs) through data collection forms. The ISPs' subscribers were invited to check a box to give their consent to the use of their personal data for prospecting purposes by the ISPs’ "partners". The names of these partners were not specified in the form, nor were they accessible via a hyperlink or by any other means. The CNIL (French DPA) conducted multiple inspections. On 12 October 2023, the DPA found that the controller had failed to comply with their obligation to obtain valid consent from the individuals concerned for the purposes of electronic marketing, in violation of Article 7 GDPR. The controller brought an action for annulment of this decision before the Council of State. The Council of State considered that this dispute raised a question as to whether the consent given by the data subject to a first collector, allowing their data to be used by a category of recipients for the purpose of electronic prospecting, can be regarded as informed consent within the meaning of Article 4(11) of the GDPR, read in conjunction with articles 13(1) and 14 of the same Regulation, and article 13 of the Directive of 12 July 2002 on privacy and electronic communications. A further question arises as to whether the degree of specificity of the term « category of recipients » is significant, or whether, as in the present case, it may simply refer to any « partner » of the initial data collector. The Council of State considered that these questions are decisive for the resolution of the dispute and present serious difficulties. The Council of State therefore referred the matter to the Court of Justice of the Eur
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (4)
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Cases (0)
No other cases found for Court case 490202 in FR
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 490202 - France (2025). Retrieved from cookiefines.eu
Last updated: