This month, the French Data Protection Authority ("CNIL") issued a substantial fine of €50 million to Orange, France's leading telecommunications operator. In addition, the CNIL imposed an order for Orange to stop reading cookies set on the user's device following the withdrawal of consent by the user, which Orange must do within three months or otherwise face further fines of €100,000 per day until the issue is remedied.
Orange provides customers with an e-messaging service – "Mail Orange". The CNIL had found that the company had used this service to embed email advertising into user accounts without obtaining consent. Additionally, the CNIL reported that the company continued to use cookies to track website users even after they had explicitly opted out.
According to Louis Dutheillet de Lamothe, deputy head of the CNIL, this decision should act as a "warning for other operators" and should deter companies from attempting to gain a monetary advantage from non-compliance with marketing rules.
Inserting ads between emails
Orange had directly prospected its users, by promoting ads for goods and services to inboxes normally reserved for private emails. The CNIL noted that "the company has derived a definite financial advantage from the infringements" as "advertising is not at the heart of the company's activities". Further, the company had direct control over the ads as they had sold these "dedicated spaces to advertisers". Consequently, it was necessary to obtain user consent.
Basing its decision on a judgment from the Court of Justice of the European Union on 25 November 2021, the CNIL adopted a broad interpretation of the provisions of Article L. 34-5 of the French Post and Electronic Communications Code (CPCE), concluding that Orange had contravened its principles by disguising advertising messages as genuine emails. Notably, the CNIL did recognise the company's attempt to adopt "measures to bring the practices into line" with the provisions of the CPCE, "by ceasing to display advertising messages between emails received from November 2023".
Despite this, a fine was imposed as Orange had displayed ads in its users' inboxes "in the form of emails among genuine emails" without obtaining consent. The CNIL also noted that the large number of data subjects involved (over 7.8 million users) and Orange's market position as France's leading telecommunications operator were relevant factors in determining the level of the fine.
Overlooking the withdrawal of cookie consent
In addition, the CNIL's investigations revealed that the Orange website used a variety of cookies to track user activity even after an individual had withdrawn their consent, in contravention of Article 82 of the French Data Protection Act (DPA). The CNIL noted that the reading of cookies in this context, which consists in accessing data stored in the user's device, is explicitly prohibited by the DPA, even if that data is not subsequently used.
The CNIL noted that Orange had been "highly negligent" as the Company should have been aware of the clear rules relating to electronic commercial prospecting, in light of its "position on the market and the means at its disposal."
Orange sought to argue that the data obtained through its continued reading of cookies was not used in any way and that no harm was therefore caused to the user. However, the CNIL rejected this argument, concluding that such practices nevertheless constituted a direct breach of the DPA.
The imposition of the fine
As a result of these contraventions, the CNIL ultimately decided to impose sanctions on Orange, consisting of:
- an administrative fine of €50 million for displaying advertising messages to users without consent; and
- an order to stop reading cookies after the user has withdrawn their consent.
Orange must do this within 3 months, failing which a further fine of €100,000 will be imposed each day this correction is overdue.
Orange has announced its plans to challenge the fine before the State Council (Conseil d'Etat) arguing that it was "totally disproportionate". Orange have argued that these advertisements represented "neither a breach nor a lapse in security, but common market practice that did not involve any use of customers' personal data... This sanction is all the more incomprehensible as Orange had not received any prior warning or peremptory notice on this matter".
Takeaways
In its decision the CNIL commented on the "intrusive" practices adopted by Orange. The CNIL noted that "it is apparent from the findings made by the delegation that several messages of this type could be displayed at the same time in the users' inboxes, in the middle of their private emails, without their consent. Such a practice, which consists of using the subscriber's trust in the service used, corresponds very precisely to an intrusion."
The fine imposed was unusually high for such a breach, especially in comparison to other fines imposed on major tech giants. Nevertheless, this case is a clear indication of the importance of complying with the laws surrounding direct marketing and cookie compliance and serves as a strong warning to other operators of the consequences if they fail to do so.
It is therefore advisable for organisations to ensure that:
- customers provide clear consent to receive marketing communications where required by law, and that such consent is documented; and
- appropriate solutions are implemented to enable the effective withdrawal of consent to the use of non-essential cookies, and if consent is withdrawn, this must be adhered to.
