€50 Million Fine Against ORANGE for Unauthorized Advertising and Cookie Reading

The French data protection authority CNIL announced in a recent press release that a fine of €50 million has been imposed on the telecommunications provider ORANGE. The penalty was issued due to unauthorized inbox advertising and reading of cookies despite users withdrawing consent. This decision highlights the strict stance of data protection authorities against companies violating data protection regulations.

CNIL’s Complaints:
The CNIL identified two major practices by ORANGE as violations:

1. Inbox Advertising Without Consent: ORANGE placed advertisements within the web interface of its email portal between users’ actual emails without obtaining prior consent. The CNIL referred to a 2021 European Court of Justice ruling (November 25, 2021 – Case No. C-102/20), which deemed such placements as direct email advertising requiring explicit user approval. Since no approval was obtained, this was ruled a violation.
2. Cookie Reading Despite Withdrawal: The authority also criticized ORANGE for continuing to read user cookies even after users had withdrawn their consent.

Fine Details:

The €50 million fine was justified by the CNIL as follows:

• User Impact and Market Position: The penalty considered the large number of affected users (over 7.8 million people viewed the unauthorized ads in their inboxes) and ORANGE’s position as a leading telecommunications provider in France. The financial benefits ORANGE gained from the practices were also taken into account.
• Instruction to Cease Cookie Reading: ORANGE was also ordered to stop reading cookies after users withdraw consent within three months. Failure to comply could result in an additional fine of €100,000 per day.

Uncertainty on Legal Finality:
It is unclear whether the CNIL’s decision is legally binding yet or whether ORANGE has appealed or will appeal the decision.

Implications for Businesses:

This ruling carries significant implications:

• Strict Compliance with Data Protection Regulations: The CNIL’s decision demonstrates that data protection authorities will rigorously enforce regulations and impose substantial penalties for violations.
• Consent Requirement for Direct Advertising: Companies must obtain explicit consent from users for direct email advertising. Placing ads in email inboxes without consent is prohibited.
• Respect for Consent Withdrawal: Businesses must honor users’ withdrawal of consent for cookie reading and immediately stop processing related data.
• Transparency with Users: Companies need to clearly inform users about data processing and enable them to exercise their rights.

Summary:

The CNIL has fined the telecommunications provider ORANGE €50 million for unauthorized inbox advertising and reading cookies despite users’ withdrawal of consent. This decision emphasizes the strict data protection standards in the European Union and the importance of compliance for companies. It demonstrates that businesses can face severe penalties for violating users’ data protection rights.