Fuente: Ius Mentis
A fine issued by the French data protection authority raises questions that are relevant well beyond France, including for small businesses in the UK.
According to the Dutch legal blog Ius Mentis, the French data protection authority (CNIL) imposed a fine of 3.5 million euros on an unnamed French company on 30 December 2025. The case involved two separate problems.
First, the company shared personal data from its loyalty programme members with a social network for targeted advertising, reportedly without valid consent from those members.
Second, the company was found to have used SHA-256 (with salt) to hash customer passwords. According to Ius Mentis, the CNIL considered this inadequate because the French national cybersecurity agency ANSSI had previously indicated that SHA-256 and similar algorithms are very fast to execute. In the context of storing passwords, that speed works in favour of attackers, as it allows them to test large numbers of password guesses quickly. Algorithms such as Argon2 are specifically designed to resist this kind of brute-force attack.
Análisis web gratuito que cubre RGPD, derechos de autor, accesibilidad, seguridad y más.
Analiza tu web gratisMore than 44,000 cPanel and WHM installations have very likely been hacked via a new critical vulnerability identified as CVE-2026-41940, according to The Shadowserver Foundation.
The CNIL based the security part of its decision on Article 32 of the GDPR, which requires organisations to implement appropriate technical measures to protect personal data. Ius Mentis also notes that Article 63 of the GDPR requires data protection authorities across the EU to cooperate and align their views, meaning a CNIL position on password security is unlikely to stay confined to France.
The CNIL decision is binding in France. For other countries, including the UK, it is not automatically binding. However, as Ius Mentis points out, the cooperation mechanism under the GDPR means that regulators tend to align over time. The ICO, which enforces UK GDPR and the Data Protection Act 2018, expects organisations to use appropriate security measures under similar principles.
It is worth noting that Ius Mentis is a secondary source reporting on the CNIL decision, not the official decision text itself. The fine amount, date and legal citations are as reported by the blog, and have not been independently verified from the primary source.
If your website stores customer passwords, the method used to protect those passwords matters under UK GDPR. Using an outdated or fast hashing algorithm like SHA-256 for password storage could be considered an inadequate security measure by the ICO. It is worth checking with your web developer or hosting provider how your customer passwords are stored, and whether a more suitable algorithm is already in place. You can also review our security checklist for small businesses for practical next steps.