Privacy & Cybersecurity #25

CNIL 2024 Report & Security Guide | California's DROP Platform | Germany Court Decision | Italy's 'Pay or OK' Model | CCPA–ICO Cooperation | GDPR Fines in Romania & Spain | Todd Snyder Sanctioned

🇫🇷 France: CNIL Issues New Security Guidelines for Large Databases

On April 30, 2025, the French data protection authority, CNIL, released updated security recommendations targeting organizations that manage large-scale personal data systems. This move comes in response to a significant increase in data breaches during 2024, many of which involved unauthorized access to customer and user databases in both public and private sectors.

Key Recommendations

Implement Multi-Factor Authentication (MFA): CNIL emphasizes the necessity of MFA for external access to information systems, especially when users can access data pertaining to millions of individuals. In 2024, approximately 80% of major data breaches were linked to compromised user accounts protected solely by passwords. Introducing a second authentication factor can significantly reduce the risk of unauthorized access resulting from credential theft.

Monitor and Control Data Flows: Organizations are advised to establish robust logging mechanisms to detect and analyze data exfiltration incidents promptly. This includes setting thresholds for data transfers and implementing alerts for unusual activities, thereby enabling early detection and response to potential breaches.

Adopt a Defense-in-Depth Strategy: Beyond perimeter defenses, CNIL recommends a layered security approach that includes internal safeguards to protect against threats that have already penetrated the system. This comprehensive strategy should encompass network segmentation, regular security audits, and strict access controls.

Under Article 32 of the General Data Protection Regulation (GDPR), failure to implement appropriate security measures can result in administrative fines of up to €10 million or 2% of the annual global turnover, whichever is higher. CNIL has indicated that starting in 2026, it will intensify inspections to ensure compliance with these enhanced security protocols.

---

🇺🇲California CPPA Proposes New Rules for Statewide Data Deletion Platform

On April 25, 2025, the California Privacy Protection Agency (CPPA) published a Notice of Proposed Rulemaking to implement a key provision of the Delete Act (SB 362), which was signed into law in October 2023. The centerpiece of this effort is the Delete Request and Opt-Out Platform (DROP) — a centralized system that will allow any California resident to request the deletion of their personal information from all registered data brokers via a single verified request.

What the Delete Act Requires

Under California Civil Code § 1798.99.86, the CPPA is required to:

• Maintain a Data Broker Registry, listing all entities engaged in brokering consumer data.

• Launch a central deletion platform (DROP) where consumers can issue a one-stop deletion request to all brokers.

The CPPA's proposed regulations outline how the DROP will function and what data brokers must do to comply:

For Data Brokers:

• All registered data brokers must create and maintain an account within the DROP system.

• Brokers must retrieve deletion request lists from DROP at least every 45 days, process them, and report status updates.

• Brokers must use the same hashing algorithm as the CPPA to identify matches between deletion requests and their records.

• Brokers must delete all matched personal data unless an exemption applies and must direct their service providers to do the same.

• Brokers must safeguard account credentials and notify the CPPA in case of breaches or unauthorized access.

Consumers can submit one deletion request that applies to all brokers in the registry. Brokers are barred from contacting consumers to verify identity; verification is handled within the DROP. Authorized agents may submit or amend requests on a consumer’s behalf under specified conditions.

The CPPA estimates that:

• Initial compliance costs will average $719 per business ($599 for small businesses);

• Annual costs will average $2,809 ($1,873 for small businesses);

• Approximately 496 data brokers, including 270 small businesses, will be affected.

Written comments are open until June 10, 2025, at 5:00 PM PT.

---

🇮🇹 Italy Opens Public Consultation on “Pay or OK” Consent Models

On April 29, 2025, Italy’s Garante launched a public consultation on the controversial “Pay or OK” model — a practice where users must either pay for access to online content or accept tracking for targeted advertising.

What Is “Pay or OK”?

This model (also called pay or consent or consent paywall) presents users with a binary choice:

• Pay a subscription fee to access the content without tracking, or

• Consent to data collection for profiling and targeted ads.

If neither option is selected, access to the content is denied. The Garante is questioning whether such “consent” is truly freely given and informed — especially when refusal means loss of access.

Legal Grounds and Concerns

The consultation is grounded in Article 7 and Recital 42 of the GDPR, which require that consent be:

• Freely given;

• Specific;

• Informed; and

• Unambiguous.

Key issues raised by the Garante:

• Can consent be considered “free” when refusal blocks access?

• Can users truly make an informed choice when one click authorizes tracking by hundreds of unknown third parties for multiple vague purposes?

• Does economic vulnerability pressure users into accepting invasive tracking just to access basic news or services?

---

🇺🇲🇬🇧California CPPA and UK ICO Sign Cross-Border Cooperation Agreement

On April 29, 2025 The California Privacy Protection Agency (CPPA) and the UK Information Commissioner's Office (ICO) signed a declaration of cooperation to enhance privacy protections across jurisdictions. The agreement aims to:

• Facilitate joint research and education on emerging technologies and data protection issues.

• Share best practices, knowledge, and investigative methods.

• Convene meetings between staff members.

• Develop mechanisms for mutual collaboration.

This agreement builds upon the CPPA's ongoing efforts to forge and strengthen partnerships with international data protection authorities. Previous collaborations include agreements with the Republic of Korea's Personal Information Protection Commission (PIPC) in January 2025 and France's Commission Nationale de l'Informatique et des Libertés (CNIL) in June 2024.

The CPPA is also an active member of several international privacy organizations, including the Global Privacy Assembly, the Asia Pacific Privacy Authorities, the Global Privacy Enforcement Network, and the International Working Group on Data Protection in Technology.

---

🇪🇸 Spain: App Fined for Collecting ID Scans Without Justification

Excessive identity verification method violates GDPR’s data minimization principle

On March 26, 2025, the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) finalized a sanction against the operator of a social networking app for unlawfully collecting full scans of users’ national ID documents as a condition for account verification.

The operator accepted responsibility and paid a reduced fine of €600 under early resolution and voluntary payment terms. The original proposed fine was €1,000.

Users seeking “verified” status in the app were required to upload scanned images of both sides of their national ID (DNI). These scans were temporarily stored until a manual review was performed. The AEPD found this practice to be an unnecessary and intrusive form of identity verification.

While the app claimed that verification helped prevent fraud and impersonation—particularly in high-risk sectors—the authority concluded that less invasive methods (such as third-party identity APIs) were available and more appropriate.

The AEPD held that the app violated Article 5(1)(c) GDPR, which requires personal data to be “adequate, relevant and limited to what is necessary” (data minimization). The agency also emphasized that:

• Other means of verifying identity were reasonably available;

• Temporary storage of ID scans does not eliminate the risk of excessive processing;
  Voluntary features (like paid tools for verified users) do not exempt data controllers from complying with GDPR.

In addition to the fine, the AEPD ordered the app operator to stop requiring ID scans for verification, implement a compliant identity verification method within three months and report compliance actions back to the AEPD.

The controller has since suspended its identity verification feature and is evaluating alternative API-based solutions.

Recommendations for Businesses:

• Always evaluate less intrusive options before choosing a verification method.

• Document your decision-making process and risk assessments for data collection methods.

---

🇺🇲 California Issues CCPA Enforcement Order: Todd Snyder Inc. Penalized for Privacy Violations

On May 1, 2025, the California Privacy Protection Agency (CPPA) finalized a formal enforcement decision under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The enforcement order was issued against Todd Snyder, Inc., a fashion retail company.

The CPPA found that Todd Snyder, Inc. violated the CCPA’s requirement for clear and conspicuous opt-out mechanisms regarding the sale or sharing of personal information.

Specifically, the company:

• Failed to provide a “Do Not Sell or Share My Personal Information” link as required by Cal. Civ. Code § 1798.135(a)(1);

• Did not comply with the regulations on user-enabled global privacy controls (GPCs) — browser signals that express a user’s preference to opt out of data sales;

• Was also flagged for not meeting transparency obligations under the CPPA’s implementing regulations.

This is the first enforcement order fully executed by the CPPA itself — as distinct from prior CCPA enforcement led by the California Attorney General’s office. The case was processed under the CPPA’s newly established Enforcement Division.

Under the final order, Todd Snyder Inc. entered into a stipulated resolution (the exact monetary penalty, if any, was not disclosed in the published documents) and agreed to remedial actions, including bringing its website into compliance with GPC signal recognition and opt-out link requirements.

The enforcement action focuses on Section 7026 and 7024 of the CCPA Regulations, which require businesses to:

• Honor opt-out preference signals in a frictionless, automatic manner;

• Make clear disclosures and provide accessible opt-out mechanisms;

• Avoid “dark patterns” or deceptive interfaces that frustrate user choice.

The CPPA has indicated that GPC non-compliance will be a recurring enforcement theme, especially in retail, e-commerce, and adtech.

Recommendations for Businesses

• Review and audit your opt-out processes — both user interface and back-end logic.

• Ensure technical implementation of GPC signals is in place and tested.

---

🇩🇪 Germany Court: No GDPR Damages for Delayed Data Access Without Real Harm

A delayed data subject access request response may violate GDPR, but does not automatically trigger compensation unless there is a real, provable impact on the individual.

On February 20, 2025, the German Federal Labour Court (Bundesarbeitsgericht, BAG) ruled in 8 AZR 61/24 that a delayed response to a data subject access request under Article 15 GDPR does not in itself justify compensation under Article 82 GDPR — unless the claimant proves an actual, non-material harm.

The claimant, a former employee, had requested a renewed copy of his personal data in October 2022, years after his employment ended. The company responded late. He claimed €2,000 in damages for the emotional impact of the delay, including concerns about potential misuse of data and general frustration with the process.

While the lower court awarded him €10,000, the appellate court reversed the decision — and the Bundesarbeitsgericht upheld that reversal.

Key Takeaways from the Ruling

Under Article 82(1) GDPR, damages require three cumulative elements:

• A GDPR violation;

• A material or non-material damage;

• A causal link between the two.

The court acknowledged that even a short loss of control over data can be compensable. Emotional harm like fear of misuse can qualify — if justified by facts. But in this case the claimant failed to prove any specific risk, misuse, or factual basis for his emotional distress. Negative feelings like being “annoyed” or “worried” were found too abstract to amount to harm. The court emphasized that damages are compensatory, not punitive: the goal is to offset actual harm, not to penalize technical violations.

A delayed data subject access request response may violate Article 15/12(3) GDPR, but does not automatically trigger compensation unless there is a real, provable impact on the individual.

Recommendations for Businesses

• Keep audit trails of all data subject access request handling (dates, responses, scope);

• Document legal review of delayed cases and their impact.

---

🇷🇴 Romania: Bitdefender Fined for Email Security Update Flaw Leading to Data Breach

On April 30, 2025, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) announced that it had fined cybersecurity company Bitdefender SRL €10,000 (approximately 49,772 RON) for violating Article 32 of the General Data Protection Regulation (GDPR).

Bitdefender reported a personal data breach to the ANSPDCP, as required under Article 33 of the GDPR. The breach occurred due to a programming or implementation error during an update to its email security analysis service. This error led to the unauthorized disclosure of a significant number of clients' personal data to third parties. The compromised data included at least names, surnames, and email addresses.

The ANSPDCP's investigation concluded that Bitdefender failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as mandated by Article 32(1)(b) and (d), and Article 32(2) of the GDPR. Specifically, the company did not conduct regular testing, assessing, and evaluating the effectiveness of its security measures.

Recommendations for Businesses

• Implement routine testing and evaluation of security measures to identify and rectify potential vulnerabilities.

• Establish robust change management protocols to assess the impact of updates on data security.

• Develop and maintain an effective incident response plan to address potential data breaches promptly.

• Ensure that staff involved in system updates are adequately trained on data protection principles and practices.

---

🇫🇷 France: CNIL’s 2024 Report

On April 29, 2025, the French data protection authority CNIL published its Rapport Annuel 2024, detailing a year of enforcement, regulatory coordination, and new strategic initiatives.

Key Enforcement Highlights

• 87 sanctions issued, more than double the 42 in 2023.

• €55,212,400 in total fines, up from €40 million in 2023.

• 321 inspections conducted, including:

  • 166 on-site,

  • 99 online,

  • 44 on documentation,

  • 12 via hearings.

• 180 formal notices issued.

• 64 legal reminders by the CNIL President.

Notable penalties included:

• €50 million against Orange for inserting ads in user inboxes without consent.

• €290 million against Uber, in coordination with the Dutch DPA, for unlawful data transfers of drivers to the U.S..

The simplified sanction procedure accounted for 69 of the 87 decisions — a mechanism allowing rapid response to clear, lower-risk violations.

Cybersecurity and Breaches

• 5,629 data breaches were reported in 2024 — up 20% from 2023.

• The number of incidents affecting over 1 million people doubled, from ~20 to ~40.

• Recurring security failures included poor password hygiene, outdated TLS protocols, and uncontrolled internal access.

Affected sectors spanned from healthcare to retail, including incidents at Free, France Travail, Viamedis, and Auchan.

Strategic Roadmap 2025–2028

The CNIL’s new strategy focuses on:

Artificial Intelligence. Supporting innovation while developing AI compliance tools and auditing capabilities.

Youth and Digital Screens. Combatting overexposure and exploitation of minors' data online, with national educational campaigns.

Cybersecurity Maturity. Expanding guidance and inspections to help all sectors adopt modern data protection standards.

Mobile Apps and Digital Identity. Increasing scrutiny on app trackers and digital ID schemes. Mobile app enforcement will intensify in 2025.

The CNIL also updated its Data Security Guide and initiated a public consultation on multi-factor authentication, responding to systemic failures in access controls across sectors.

Cross-Border and International Collaboration

• 12 European GDPR sanctions coordinated by CNIL.

• Signed a cooperation agreement with the California Privacy Protection Agency (CPPA) in June 2024.

• Took part in the G7 Privacy Summit on AI governance and child protection.

Key Figures

• 17,772 complaints received, a new record.

• 298 employees, including 10 new hires.

• €28.2 million budget, with 99% execution rate.

• 11.6 million visits to the CNIL’s website.

• 274 resources published, including 12 AI-related guidance notes.

---

***

Direct your questions to groundcontrol@kepler.consulting.

Until the next transmission, stay secure and steady on course. Ground Control, out.