CNIL Fine SOMS €900,000: Dark Patterns and Abusive Telemarketing 2025

The CNIL has just made a strong statement. In May 2025, France's data protection authority imposed a €900,000 fine on SOLOCAL MARKETING SERVICES (SOMS), a company specializing in commercial prospecting via SMS and email. This penalty, accompanied by a compliance order, marks a decisive turning point for the entire telemarketing sector.

The SOMS case: €900,000 fine for abusive prospecting

SOLOCAL MARKETING SERVICES is not an unknown player. A subsidiary of the Solocal group (publisher of the French Yellow Pages), this company operates as an intermediary between data collectors and advertisers.

The scale of the practices in question is considerable: in 2022, SOMS contacted 4.7 million people by SMS and 500,000 by email.

The investigation process

The CNIL conducted thorough investigations examining:

The collection forms used by partner data suppliers
The proof of consent held by the company
The legal bases invoked to justify data processing

The findings are damning: on all three points, SOMS was in violation.

The 3 violations that proved costly

1. Dark patterns: consent biased by design

The data used by SOMS came largely from online sweepstakes participation forms. The CNIL identified the use of dark patterns:

Misleading buttons: labels like "I participate" suggested clicking was necessary to enter
Biased design: the layout made consent appear mandatory
No real choice: refusal options were visually minimized

The CNIL recalls that according to Article 7 of the GDPR and CJEU case law (Planet49, 2019), consent must be freely given, specific, informed, and unambiguous.

2. Complete absence of proof of consent

Under the accountability principle (Article 5 GDPR), the data controller must be able to demonstrate valid consent. SOMS proved unable to provide proof.

The CNIL dismissed their arguments: the data controller is ALWAYS responsible for consent validity, even when data is collected by third parties.

3. Legitimate interest: a poorly invoked legal basis

The CNIL made an important distinction:

For telephone directory data: legitimate interest may be valid
For sweepstakes data: legitimate interest is REJECTED

What this decision changes for businesses

The SOMS sanction draws clear red lines for all players in the leads and prospecting sector.

The data controller is always on the front line

Whether you collect data yourself or buy it from brokers, YOU are responsible for compliance.

The obligation to document consent

The CNIL now requires complete traceability. For each person contacted, you must produce:

The date and time of consent
The exact form used
The information text presented
The person's positive action

Law of May 21, 2025: the coming reversal

Current regime: opt-out

Today, telephone marketing operates on an opt-out principle: companies can call anyone, EXCEPT people registered on Bloctel.

Future regime: mandatory opt-in

From August 11, 2026, telephone prospecting will be prohibited by default. Companies will only be able to call people who have expressly consented.

This reversal represents an earthquake for the industry:

Call centers will have to completely overhaul their acquisition practices
"Cold" prospecting files will become unusable
Only qualified opt-in leads can be used

How to avoid SOMS's fate: compliance checklist

Consent form audit

☐ Is consent distinct from the main action?
☐ Is the text explicit about the type of marketing?
☐ Are recipient partners identified?
☐ Are Accept/Refuse buttons visually balanced?
☐ No boxes are pre-checked?

Proof traceability

☐ Timestamp each consent
☐ Archive form versions
☐ Retain technical logs

FAQ

What's the difference between opt-in and opt-out?

Opt-in requires explicit prior consent. Opt-out allows marketing by default. The May 2025 law shifts to opt-in from August 11, 2026. See our full FAQ.