As the company itself has now confirmed to BFM Tech and others, Intersport is the subject of a €3.5 million fine imposed on Dec. 30, 2025, by France’s National Commission on IT and Liberties (CNIL). The CNIL’s deliberations (in French) mention only a “retailer X,” found to have transferred customer data without consent to a social network for targeted advertising.
In its confirmation Intersport says it has “never sold the personal data of its customers.” “The retailer,” it continues, “has in the past used one of the advertising services offered by a social network, without releasing the data. This mechanism for targeted advertising, which the CNIL is now calling into question, is at the origin of the engaged proceedings.”
CNIL investigations stretching back to January 2023 have found that the company had been so transferring the email addresses and telephone numbers of members of loyalty program since February 2018, in violation of the EU’s General Data Protection Regulation (GDPR) and France’s Data Protection Act.
In particular:
- the loyalty program’s terms made no mention of such transfers
- other information on the company website failed either to mention the transfers or to state their purpose
- the rules for user-account passwords were insufficiently robust
- a hash function provided insecure storage of passwords
- the company failed to conduct a data protection impact assessment (DPIA) before implementing targeted advertising on the social network
- the company website would place eleven cookies subject to consent on customer computers before any consent was given
The CNIL justifies the size of the fine by the seriousness of the breaches and the high number of people affected (more than 10.5m). It has also broken with custom to make its deliberations public: “since the use of targeted advertising on social networks is a widespread practice among economic operators, it was important to inform the public about the rules applicable in this area, without it being, in this case, necessary to name the company concerned.”
How unusual is this?
CNIL sanctions on companies in the sporting-goods industry have been fairly rare since the GDPR entered into force (May 2018). We find the following:
- a €20,000 fine in 2025 on a company specializing in the retail sale of sports goods in specialized shops for data violations in CCTV
- a €15,000 fine in 2024 on a company operating shoe and sportswear stores over information of individuals and consent (cookies)
- a €3,000 fine in 2024 on a company running a gym for failure to cooperate with the CNIL
But we also find a €60 million fine and an injunction in 2021 on a social network for a cookie-refusal mechanism and a failure to inform individuals.
More common among those sanctioned by the CNIL are physicians and dentists. Also sanctioned: one French Ministry.
Elsewhere we find:
- a €1.5 million fine levied in 2024 by the Spanish Agency for Data Protection (AEPD) on Sprinter Megacentros del Deporte (sportwear retailer, Spain) for data processing violations of the GDPR
- a €746 million fine levied in 2021 by Luxembourg’s National Commission on Data Protection (CNPD) on Amazon for violations of the GDPR
- a $300,000 settlement paid in 2023 by retailer Sports Warehouse Inc. (parent of Tennis Warehouse, Running Warehouse, et al.) to the state of New York over a cybersecurity breach in 2021 that exposed the payment and login data of 2.5 million customers
