Customer match and lookalike audience tools offered by major social media platforms allow organisations to upload hashed customer data so individuals can be matched to their platform profiles for targeted advertising. While widely used, these tools involve large‑scale data sharing and have attracted increasing scrutiny from regulators across the EU.
On 22 January 2026, CNIL fined an organisation €3.5 million after it transferred the personal data of approximately 10.5 million loyalty programme members to a social media platform for advertising purposes. CNIL found that individuals were not clearly informed that their data would be used in this way and that the organisation relied on bundled consent that did not meet GDPR requirements. CNIL also concluded that a Data Protection Impact Assessment (DPIA) should have been carried out due to the scale and nature of the processing.
The decision emphasises that organisations must be explicit when explaining customer match practices. General privacy notice wording, or reliance on the platform’s own information, does not meet GDPR transparency standards. Organisations must clearly state which platforms data will be shared with and why. This includes explaining how hashed data is used to deliver targeted advertising and the implications for individuals.
Supervisory authorities expect privacy notices to give individuals direct, accessible information that allows them to understand the processing and exercise meaningful control. CNIL’s findings align with similar positions taken by the Irish Data Protection Commission and other EU regulators.
The ruling reinforces long‑standing expectations around lawful bases for marketing. Consent must be specific, informed and freely given. Bundled or overly broad consents remain a consistent enforcement risk. Where organisations rely on consent for customer match activities, they must ensure individuals understand the specific purpose and have a genuine choice.
CNIL also highlighted that a DPIA is often required for customer match processing. Factors contributing to high risk include the volume of data involved, the involvement of major advertising platforms and the potential for behavioural profiling. Organisations must therefore assess whether a DPIA is needed before implementing customer match tools and ensure that appropriate safeguards are documented.
For organisations operating in Ireland and the wider EU, the CNIL decision provides clear guidance on regulator expectations. Customer match and lookalike audience tools are likely to be seen as high‑risk processing, even when hashes or pseudonymised identifiers are used. Transparency documentation, lawful‑basis assessment and DPIA processes must all be reviewed to ensure compliance.
The decision also reflects broader enforcement themes across Europe, including a strong focus on digital marketing practices, platform‑based advertising models and the management of large‑scale customer datasets. Organisations using or considering customer match services should take steps to ensure that their governance, documentation and consent mechanisms meet regulatory standards.
The French Data Protection Authority (CNIL) has fined an organisation €3.5 million for improper use of customer match tools, reinforcing the growing regulatory focus on social media‑based targeted advertising. The decision highlights the need for clear transparency, specific consent and strong governance when sharing customer data with advertising platforms.
Data Subject Access Requests (DSARs) remain one of the most frequently exercised GDPR rights, yet their purpose and limits are often misunderstood. Recent decisions at both national and EU level provide clearer direction for organisations responding to access requests and highlight how regulators and courts view the underlying intent of the right.
The AI Act allows for varying types of regulators, including market surveillance authorities, fundamental rights authorities and coordinating bodies.
Transforming organisations by aligning people, processes and technology.
Amplify your business with innovative solutions.
Tailored solutions for assurance and value creation in a changing world.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.