CE - No. 492836

Summary

France's administrative court (Conseil d'État) partially upheld CNIL's enforcement action against Tagadamedia, a lead generation company, reducing the fine from €75,000 to €50,000 on procedural grounds while confirming the company's consent forms failed to meet GDPR requirements. The court found that Tagadamedia's forms used dark patterns—prominent 'agree' buttons with less visible decline options—to collect invalid consent for transferring personal data to marketing partners. The ruling reinforces that consent mechanisms must present affirmative and negative options with equal visual prominence to comply with GDPR Articles 6 and 7.

Full text

Help CE - No. 492836: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:53, 1 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators666 editsm Tag: Visual edit← Older edit Latest revision as of 11:40, 2 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators51 editsTag: Visual edit Line 70: Line 70: }}}} The Court reduced a CNIL fine against a lead generation company from €75,000 to €50,000 but upheld that its consent forms did not validly collect GDPR consent.The Court confirmed that Tagadamedia’s lead-generation forms failed to obtain valid GDPR consent for marketing data transfers, while partly annulling CNIL’s decision on procedural grounds. == English Summary ==== English Summary == Latest revision as of 11:40, 2 June 2026 CE - No. 492836 Court: CE (France) Jurisdiction: France Relevant Law: Article 4(11) GDPR Article 6 GDPR Article 7 GDPR Article 30 GDPR Decided: 20.05.2026 Published: Parties: Tagadamedia CNIL National Case Number/Name: No. 492836 European Case Law Identifier: ECLI:FR:CECHR:2026:492836.20260520 Appeal from: CNIL (France)SAN-2023-025 Appeal to: Original Language(s): French Original Source: Conseil d'État (in French) Initial Contributor: bms The Court confirmed that Tagadamedia’s lead-generation forms failed to obtain valid GDPR consent for marketing data transfers, while partly annulling CNIL’s decision on procedural grounds. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Tagadamedia, the controller, organised online competitions on websites it managed. In this context, it collected participants’ personal data, including names, postal addresses, email addresses and telephone numbers. It then transferred this data to commercial partners for marketing purposes in exchange for payment. The DPA, carried out an on-site inspection at the controller’s premises and later initiated sanction proceedings. The DPA found that the controller’s consent mechanisms did not allow users to give free, specific, informed and unambiguous consent to the transfer of their data to partners for marketing purposes. The controller had used different versions of consent forms. One version displayed a prominent “I agree” button, while the option to continue without receiving partner offers was only available through a less visible link in smaller text. Another version included two buttons, “I agree” and “I decline”, but the visual presentation continued to emphasise consent. The controller later proposed a new form with two similar buttons, “I agree” and “Next step”. The DPA imposed a €75,000 administrative fine for breaches of GDPR Articles 6 and 30. It also ordered the controller, under a daily penalty of €1,000, to implement a compliant form collecting valid consent for the transfer of data to partners. The controller appealed the decision before the Court. Holding The Court partly upheld the appeal. First, the Court rejected the controller’s procedural arguments regarding the DPA’s inspection and the referral to the restricted committee. It held that the competent public prosecutor had been informed in advance of the inspection and that the restricted committee had been validly seized and convened. Second, the Court found that the controller’s rights of defence had been breached in relation to one of the violations. The DPA’s report had alleged that the controller had engaged in unfair processing under GDPR Article 5 because it led users to believe that all transfers were based on consent, while some data was transferred on the basis of legitimate interest and without an option to object. However, the final decision requalified this issue as a breach of GDPR Article 6 for failure to obtain prior consent. Since this specific legal ground had not been included in the report communicated to the controller, the controller had not been able to comment on it. The Court therefore annulled this part of the DPA’s decision. Third, the Court confirmed that the controller’s consent forms did not meet the requirements of the GDPR. It recalled that consent must be freely given, specific, informed and unambiguous, and that it requires a clear affirmative action by the data subject. Although the forms required a positive action, their design and wording were ambiguous. In particular, the “I agree” option was visually highlighted, while the alternative options were less clear or could be misunderstood by users. Therefore, the forms did not allow valid consent for the transfer of personal data to partners for commercial marketing. Fourth, the Court rejected the controller’s argument that the principle of legality of offences and penalties had been breached. It held that the GDPR rules on consent were sufficiently clear and foreseeable for a professional in the digital marketing sector. As a result, the Court reduced the administrative fine from €75,000 to €50,000, taking into account the annulment of one part of the DPA’s reasoning. However, it upheld the injunction requiring the controller to implement a GDPR-compliant consent form, subject to a daily penalty. The Court also ordered publication of its decision under the same conditions as the DPA’s decision and ordered the DPA to pay €2,000 to the controller for legal costs. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. Council of State No. 492836 ECLI:FR:CECHR:2026:492836.20260520 Unpublished in the Lebon collection 10th - 9th chambers sitting together Mr. Jean de L'Hermite, rapporteur SCP ROCHETEAU, UZAN-SARANO & GOULET, Attorneys at Law. Read on Wednesday, May 20, 2026. FRENCH REPUBLIC. IN THE NAME OF THE FRENCH PEOPLE. Having regard to the following procedure: By a summary application, a supplementary memorandum, and a reply memorandum, registered on March 22, 2024, June 19, 2024, and January 21, 2025, at the Registry of the Litigation Division of the Council of State, the company Tagadamedia requests the Council of State: 1) to annul Decision No. SAN-2023-025 of the restricted panel of the National Commission for Information Technology and Civil Liberties (CNIL) dated December 29, 2023, imposing an administrative fine of €75,000 for breaches of Articles 6 and 30 of the General Data Protection Regulation (GDPR), ordering it, under penalty of €1,000 per day of delay, to implement, within one month of notification of this decision... 1) a decision requiring the CNIL to publish, on the websites it operates, a data collection form for prospective customers that allows for the collection of free, specific, informed, and unambiguous consent regarding the transmission of personal data to partners for marketing purposes, and ordering the publication of this decision on the websites of the CNIL and Légifrance under conditions that prevent the company from being identified by name after a period of two years from this publication; 2) in the alternative, to amend the contested decision by reducing the amount of the penalty imposed and to order the CNIL to publish the amending decision on its website and on the Légifrance website; 3) to order the CNIL to pay the sum of €6,000 pursuant to Article L. 761-1 of the Code of Administrative Justice. Having regard to the other documents in the file; Having regard to: - the Constitution, and in particular its Preamble; - the European Convention for the Protection of Human Rights and Fundamental Freedoms; - Regulation (EU) 2016/679 of the European Parliament and of the Council of 26 April 2016; - Law No. 78-17 of 6 January 1978; - Decree No. 2019-536 of 29 May 2019; - the Code of Administrative Justi

Entities