ACCOR SA – €600,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
France fined ACCOR €600,000 for sending newsletters without proper consent and not making it easy for people to opt-out. This case matters because it shows companies need to respect user choices and secure personal data.
What happened
ACCOR automatically signed up hotel guests for newsletters without clear consent and made it difficult to opt-out.
Who was affected
Hotel guests who booked through ACCOR and were automatically subscribed to newsletters without proper consent.
What the authority found
The French authority found ACCOR violated GDPR by using pre-ticked consent boxes and not providing easy opt-out options, along with other data protection failures.
Why this matters
This ruling emphasizes the need for companies to obtain clear consent and make opting out simple. It highlights the importance of secure data practices and respecting user rights in digital marketing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA. Both CNIL and other European DPAS had received complaints against ACCOR from several individuals. In the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group's websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems, many individuals were unable to opt-out of receiving the promotional emails. In this context, CNIL found that ACCOR had not sufficiently informed data subjects about the processing of their personal data in the context of promotional messages and thus violated Art. 12 GDPR and Art. 13 GDPR. Further, ACCOR had failed to respond to data subjects' requests for access to personal data in a timely manner, and thus the CNIL found a violation of Art. 12 GDPR and Art. 15 GDPR. The company had also failed to comply with the data subjects' right to object due to the technical problems. The CNIL therefore found a violation of Art. 12 GDPR and Art. 21 GDPR. Finally, the CNIL found a violation of Art. 32 GDPR because ACCOR allowed the use of passwords that were not sufficiently secure. In imposing the fine, CNIL considered aggravatingly that the violations affected several fundamental principles of personal data protection and constituted a fundamental infringement of the rights of the data subjects, as well as the number of data subjects involved.
Violations (3)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for ACCOR SA in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Apple Distribution
2022 · Commission Nationale de l'Informatique et des Libertés
Radio Popular S.A.
2021 · Agencia Española de Protección de Datos
CNIL
2019 · Court of Justice of the European Union
ANSPDCP
2025 · Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Court case 490202
2025 · DPA CE
Details
Fine Date
19 August 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€600,000
Enforcement Tracker ID
ETid-1361
About this data
Cite as: Cookie Fines. ACCOR SA - France (2022). Retrieved from cookiefines.eu
Last updated: