CNIL Fines Israeli Marketing Firm Optimove €1M for GDPR Violations in Massive Deezer Data Breach
France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a €1 million fine on Israeli marketing technology company Optimove (operating as Mobius Solutions Ltd.) on December 11, 2025, for systematic failures in GDPR compliance that led to a data breach affecting 46.9 million Deezer users worldwide, including 9.8 million in France.
Key Violations and Findings
The enforcement action targeted three GDPR violations:
- Article 28(3)(g) – Failure to delete or return personal data after the contract with Deezer ended (December 1, 2020). Optimove retained non-anonymized user data in a non-production environment until October 1, 2023, nearly a year after Deezer reported the breach.
- Article 29 – Processing personal data without controller instructions. Optimove copied data from 9.8 million French Deezer users to an unauthorized environment for internal use, despite contractual prohibitions.
- Article 30 – Lack of a formal register of processing activities, a requirement for processors handling high-risk data, even for companies with fewer than 250 employees.
The breach exposed sensitive user data, including identifiers, contact details, listening habits, payment information, and behavioral profiles, which later surfaced on the darknet, increasing risks of phishing and identity theft.
How the Breach Unfolded
- April 2019: Optimove employees copied non-anonymized Deezer user data from a production environment to an unauthorized non-production system.
- December 1, 2020: The contract with Deezer ended, but Optimove failed to delete the data as required.
- October 31–November 5, 2022: The breach occurred, exposing 46.9 million users globally.
- November 10, 2022: Deezer notified CNIL, identifying Optimove as the likely source.
- January 31, 2023: Deezer confirmed the breach originated from Optimove’s systems.
- October 1, 2023: Optimove finally deleted the unauthorized data copy—nearly a year after the breach was reported.
Legal and Regulatory Impact
The case marks a significant enforcement action against a non-EU data processor, reinforcing that GDPR applies to companies monitoring behavior of EU individuals (Article 3(2)(b)), even if based outside the bloc. The CNIL rejected Optimove’s arguments that:
- Employee actions without management knowledge excused the violations.
- International comity (Israel’s adequacy status) should limit CNIL’s jurisdiction.
- Behavioral profiling did not fall under GDPR’s territorial scope.
The decision aligns with broader EU regulatory trends, where data processors face direct liability for compliance failures. Recent cases, such as McDonald’s Poland’s €3.89M fine (July 2025) and Germany’s standardized fine procedures (June 2025), underscore heightened scrutiny on processor accountability.
Penalty Calculation and Next Steps
The €1 million fine—below the 2% of global revenue cap—reflects CNIL’s consideration of Optimove’s financial situation (reported revenues of $30–40M in 2023–2024) and cooperation level, though the company initially contested responsibility. The decision will be publicly published for two years before anonymization.
Optimove has four months to appeal to France’s Council of State but has not indicated whether it will challenge the ruling. The case serves as a precedent for marketing technology providers, emphasizing that processors must implement strict controls over data handling, deletion, and employee activities to avoid GDPR violations.
Source: https://ppc.land/french-regulator-fines-israeli-marketing-platform-eu1m-for-processor-violations/
Deezer TPRM report: https://www.rankiteo.com/company/deezer
Optimove TPRM report: https://www.rankiteo.com/company/optimove
"id": "deeopt1766231704",
"linkid": "deezer, optimove",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '46.9 million',
'industry': 'Entertainment',
'location': 'France',
'name': 'Deezer',
'size': 'Large',
'type': 'Music Streaming Platform'},
{'industry': 'Advertising/Marketing',
'location': 'Israel',
'name': 'Optimove',
'size': 'Medium (238 employees)',
'type': 'Marketing Technology Company'}],
'attack_vector': 'Unauthorized Data Copying',
'data_breach': {'data_exfiltration': 'Yes (sold on darknet)',
'number_of_records_exposed': '46,900,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, behavioral data, payment '
'information)',
'type_of_data_compromised': ['User identifiers',
'Country',
'Language',
'Gender',
'Application identifiers',
'Dates of birth',
'Newsletter subscription status',
'Account creation dates',
'Session creation dates',
'Number of track listens per day',
'Saved playlists',
'Listened playlists',
'First payment dates',
'Total payments made',
'Average daily track listens',
'Lifecycle indicators',
'Daily listening time',
'Favorite artists',
'Created playlists',
'Pause clicks',
'Loved clicks']},
'date_detected': '2022-11-10',
'date_publicly_disclosed': '2025-12-19',
'date_resolved': '2023-10-01',
'description': "France's Commission Nationale de l'Informatique et des "
'Libertés (CNIL) imposed a €1 million administrative fine on '
'Israeli marketing technology company Optimove for violations '
'of data processor obligations under the General Data '
'Protection Regulation (GDPR). The enforcement action '
'addresses systematic failures in data handling practices that '
'enabled a massive breach affecting 46.9 million Deezer users '
'worldwide, including 9.8 million in France.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': '46.9 million records',
'financial_loss': '€1,000,000 (fine)',
'identity_theft_risk': 'High',
'legal_liabilities': 'GDPR violations (Articles 28, 29, 30)',
'operational_impact': 'Regulatory scrutiny, reputational damage',
'payment_information_risk': 'Moderate',
'systems_affected': ["Deezer's user database",
"Optimove's non-production environment"]},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'investigation_status': 'Closed',
'lessons_learned': 'Processors must implement robust systems to track and '
'verify all data processing activities, maintain formal '
'registers of processing activities, ensure all employee '
'activities involving client data occur within contractual '
'scope, and implement technical measures to prevent '
'unauthorized copying or retention of client data beyond '
'service provision periods.',
'motivation': 'Internal Use for Service Improvement',
'post_incident_analysis': {'corrective_actions': ['Data deletion from '
'unauthorized environment',
'Enhanced data handling '
'controls',
'Compliance reviews',
'Implementation of '
'processing activity '
'registers'],
'root_causes': ['Failure to delete client data '
'after contract termination',
'Unauthorized copying of '
'non-anonymized data to '
'non-production environment',
'Processing personal data without '
'controller instructions',
'Lack of proper records of '
'processing activities']},
'recommendations': ['Implement robust systems to track and verify all data '
'processing activities',
'Maintain formal registers of processing activities '
'regardless of company size',
'Ensure all employee activities involving client data '
'occur within contractual scope',
'Implement technical and organizational measures to '
'prevent unauthorized copying or retention of client data',
'Delete client data immediately upon contract termination',
'Conduct regular compliance audits for GDPR processor '
'obligations'],
'references': [{'date_accessed': '2025-12-19',
'source': 'CNIL Decision',
'url': 'https://www.legifrance.gouv.fr/'},
{'source': 'PPC Land'}],
'regulatory_compliance': {'fines_imposed': '€1,000,000',
'legal_actions': 'Administrative fine, public '
'decision publication',
'regulations_violated': ['GDPR Articles 28, 29, 30'],
'regulatory_notifications': 'Yes (CNIL)'},
'response': {'communication_strategy': 'Regulatory notifications, public '
'decision publication',
'containment_measures': 'Data deletion from unauthorized '
'environment',
'remediation_measures': 'Enhanced data handling controls, '
'compliance reviews'},
'stakeholder_advisories': 'Regulatory enforcement action, public decision '
'publication',
'title': 'CNIL Imposes €1 Million Fine on Optimove for GDPR Violations '
'Leading to Deezer Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate Data Handling Controls'}