Vinted fined €2.38M
French regulator CNIL hit used‑clothing marketplace Vinted with a €2.38 million fine for GDPR failures — specifically poor handling of erasure requests (Article 17), transparency shortfalls (Article 5) and unlawful processing tied to so‑called 'shadow banning' (Article 6). The fine underscores that platforms still face concrete penalties when deletion and disclosure workflows don’t meet European law. If you run a marketplace, this is a fresh reminder to audit your data‑retention and user‑consent flows now. (x.com)
Vinted got hit with a €2,385,276 fine after regulators said the app mishandled requests to delete personal data and secretly limited some users’ visibility on the platform. The penalty was imposed on July 2, 2024 by Lithuania’s data protection authority, with France’s privacy regulator helping on the case because French users had filed many complaints starting in 2020. (cnil.fr) Vinted is based in Lithuania, so under the European Union’s General Data Protection Regulation, the Lithuanian authority led the investigation even though the complaints came from France, Poland, the Netherlands, and Germany. That cross-border setup is why a French regulator is talking about a Lithuanian fine. (cnil.fr) The first problem was deletion. Regulators said Vinted rejected some erasure requests just because users did not name the exact legal ground from Article 17 of the General Data Protection Regulation, even though ordinary people are not expected to write privacy-law briefs to close an account. (cnil.fr) The second problem was the refusal letters. In cases where Vinted kept the data, regulators said the company did not tell complainants all the reasons why their information would continue to be processed, which is where the transparency finding came from. (cnil.fr) The third problem was what regulators called “shadow banning,” which meant making a user’s activity invisible to other users without clearly telling that person. The stated aim was to push users seen as malicious or rule-breaking to leave the marketplace on their own. (cnil.fr) Regulators did not say a marketplace can never limit abusive accounts. They said Vinted used that hidden restriction in a way that excessively harmed users’ rights because people were not informed and could end up unable to contact support properly or exercise their legal rights. (cnil.fr) That detail matters because Vinted is not a tiny niche app. France’s regulator said the platform had about 50 million monthly active users worldwide across its mobile app and website when it described the case. (cnil.fr) The story also did not end with the fine. A referral published in the European Union’s Official Journal on February 23, 2026 shows Vinted is now tied to Case C-730/25 before the Court of Justice of the European Union, with questions that include whether a company can refuse an unspecified deletion request and how much it must disclose about hidden moderation measures. (eur-lex.europa.eu) So this case is now bigger than one resale app. It has turned into a test of how far a platform can make users do legal homework before deleting data, and how much a platform must explain when it quietly turns someone’s account into a ghost. (eur-lex.europa.eu)
