FrEnCookies manager
  1. Home
  2. Data brokers: SOLOCAL MARKETING SERVICES fined €900,000

Data brokers: SOLOCAL MARKETING SERVICES fined €900,000

21 May 2025

On 15 May 2025, the French Data Protection Authority (CNIL) fined SOLOCAL MARKETING SERVICES 900,000 euros for commercial prospecting without prospects’ consent and transferring their data to partners without a valid legal basis.

Background information

As the CNIL made commercial prospecting a priority topic for investigations in 2022, it focused on the practices of professionals in the sector, particularly those who resell data, including the many intermediaries in this ecosystem known as data brokers.

On this occasion, the CNIL carried out investigations on SOLOCAL MARKETING SERVICES which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data).

SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.

Based on the findings of the inspection, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with obligations under the French Post and Electronic Communications Code (CPCE) and the General Data Protection Regulation (GDPR) regarding the collection and proof of consent.

It imposed on SOLOCAL MARKETING SERVICES:

  • a €900,000 fine which was made public; and
  • an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of 10,000 euros per day overdue after a period of 9 months. 

The amount of this fine takes into account the very large number of people concerned (several million), the company's historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.

Sanctioned breaches

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the CPCE)

SOLOCAL MARKETING SERVICES offers its customers (in particular companies) the opportunity to carry out commercial prospecting campaigns on their behalf by SMS or e-mail. To carry out these campaigns, the company purchases prospective customers' data from many data brokers, who collect the data via entry forms for game contests or online product testing on various websites.

The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company

Illustrations of non-compliant forms used by data brokers (as examples)

Indeed, the prominence given to the buttons allowing users to use their data for commercial prospecting purposes (by their size, colour, title and location), compared to the hypertext links allowing users to take part in the game without agreeing to this use (of a much smaller size and blending in with the body of the text), strongly encouraged users to accept.

SOLOCAL MARKETING SERVICES uses data collected by data brokers. Consequently, it must ensure that individuals have expressed valid consent before carrying out its prospecting campaigns.

The contractual requirements that the company imposed on its suppliers, upstream, and the checks that it claimed to have carried out, downstream, were clearly insufficient. In any event, it had not drawn the appropriate conclusions, insofar as forms investigated by the CNIL did not allow valid consent to be obtained.

Failure to demonstrate that the data subject has consented to processing of his or her personal data. (Article 7 of the GDPR)

The company failed to provide the CNIL with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the CNIL  was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.

It is up to the company, in its capacity as data controller, to prove that its commercial prospecting operations are lawful (in particular, proof of consent).

Moreover, having established that its partner was unable to provide this proof, the company waited almost 17 months before ceasing to use the data transmitted.

Texte reference

Deliberation

Texte reference

Reference texts

Texte reference

Read more

This can also interest you ...

Sanctions and corrective measures: CNIL’s actions in 2024
05 February 2025
Sanctions
The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR....
02 January 2025
Sanctions
Data scraping: KASPR fined €240,000
19 December 2024
Sanctions