On January 30, 2024, the Commission nationale de l’informatique et des libertés (CNIL), the authority responsible for protecting data and overseeing compliance with the Loi Informatique et Libertés – France’s adaptation of the European General Data Protection Regulation (GDPR) – issued a € 75,000 fine against Tagada Media, a digital media company headquartered in Paris.
Tagada collects data from internet users who enter competitions or participate in product testing; the company then sends the data to its customers for use in advertising. In 2022, the CNIL conducted several online investigations of the company’s web offerings. After notifying the company, receiving Tagada’s responses, and holding a hearing on December 7, 2023, the CNIL issued its decision. According to the CNIL, the consent forms provided by Tagada do not allow free, informed and unambiguous consent. By using techniques such as small text size, hard-to-see buttons, and strategic positioning of consent and non-consent buttons, the company’s practices result in the non-consensual transmission of personal data to third parties, in violation of the GDPR.
Specifically, the CNIL found that Tagada had violated Article 6 of the GDPR, which allows companies to process consumer data with the consent of the consumer, or in cases where the processing is necessary for the performance of an existing contract between the parties, to fulfill a legal obligation of the company, to protect vital interests, to perform a task necessitated by the demands of public interest, or to further the legitimate interests of the company unless such interests are overridden by the fundamental rights and freedoms of the data subject. The CNIL found that Tagada did not have a legal basis for the manner in which it processed users’ personal data.
The CNIL also determined that Tagada had violated Article 30 of the GDPR, which requires companies like Tagada to maintain records of their processing activities, including the identity of purpose of the processing, the categories of data processed, the types of recipients to whom data is transferred, and the time limits for destruction of the data. According to the CNIL, Tagada did not properly identify which of the two companies it controls was the designated controller of the data.
In addition to an administrative fine of € 75,000, the CNIL ordered Tagada to put in place a GDPR-compliant consent form within one month, or face a € 1,000 penalty for every subsequent day of non-compliance. The CNIL’s decision will remain public for two years, after which Tagada will not be identified by name in the publication.