Cold calling: Constitutional Council ends the triple risk

Decision of 25 June 2026 (No. 2026‑1210 QPC): France’s Constitutional Council held unconstitutional three paragraphs of Article L.34‑5 CPCE that allowed CNIL, ARCOM and the DGCCRF to sanction the same instances of electronic marketing without consent. Repeal is deferred to 31 October 2027, but the immediate effect is that one case can no longer be subject to parallel or successive proceedings for the same facts against the same person.

The facts

Referred by the Conseil d’État in a case involving Orange SA, the Council found that the three regimes pursued “the same facts, identically qualified, by sanctions of the same nature, to protect the same societal interests,” breaching the principle of necessity of penalties. The decision was made public on 25 June 2026 and published in the Official Journal on 26 June 2026.

Legal background and basis

• Targeted text: Article L.34‑5 CPCE (electronic marketing, B2C opt‑in; “customer/similar products” exception; right to object), with paragraphs 6, 8 and the penultimate one struck down.
• Sanctioning regimes: CNIL (up to €10m or 2% of global turnover; €20m/4% in some cases), ARCOM (up to 3% of net turnover, 5% for repeat offences; floors), DGCCRF (€75,000 for individuals / €375,000 for legal entities).
• Operative part: partial unconstitutionality, repeal by 31 October 2027 to avoid an enforcement gap, and immediate ban on multiple proceedings/sanctions for the same facts against the same entity.
• Reminder: ePrivacy opt‑in and GDPR compliance remain; B2C telephone marketing in France switches to opt‑in on 11 August 2026 (except ongoing contracts).

Impact for Luxembourg businesses

• End of the “triple front”: for campaigns targeting French residents (email, SMS/MMS, fax, automated messages), a single campaign can no longer face parallel or successive CNIL/ARCOM/DGCCRF proceedings for the same facts since 26 June 2026.
• Clearer competence allocation: the first authority seized “locks in” the case; implement a centralised response strategy to invoke the administrative non‑bis in idem created by the ruling.
• Prepare for redrafting by 31 October 2027: maintain ePrivacy (opt‑in) and GDPR compliance (proof of consent, transparency, right to object) and switch B2C telephone marketing in France to opt‑in by 11 August 2026.

Immediate actions

• Map outbound marketing flows to France: ensure explicit, informed and traceable consent; document the “customer/similar products” exception; provide an opt‑out in every message.
• Set up a France “authorities & proceedings” register: a single intake point (legal/compliance) for CNIL/ARCOM/DGCCRF, track the first filing and prepare responses citing the QPC ruling (ban on multiple proceedings for the same facts).
• Adjust marketing settings before 11 August 2026: move to opt‑in for B2C calls, update privacy notices and consent evidence mechanisms.

Go further

Outsourcing data protection governance can accelerate compliance and authority‑response workflows: our outsourced DPO mandate supports consent evidence, records and regulatory responses. For a refresher on applicable obligations and documentation, see our GDPR overview. To discuss how to adapt your regulatory playbooks, get in touch.

Sources

• Decision No. 2026‑1210 QPC of 25 June 2026 (OJ of 26 June 2026).
• CNIL – Telephone marketing and prospecting: rules and B2C opt‑in starting 11 August 2026.
• Press coverage of the ruling and its immediate effects.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.