The CNIL inflicts a fine of 50 million euros on the Orange operator for unconted advertisements

The National Commission for Data Protection (CNIL) announced, Tuesday, December 10, inflict a fine of 50 million euros on the Orange telecoms operator for having displayed advertisements without the consent of users of its services as email.

“The Internet service provider, and supplier of Orange messaging, used its email service to slide advertisements between emails”which themselves took the appearance of emails, detailed at the Agency France-Presse Louis Dutheillet de Lamothe, secretary general of the CNIL.

Orange “Take note of the CNIL's decision, but disputes the sanction and the totally disproportionate nature of its amount”reacted the company, which “Intends to appeal against this decision before the Council of State”.

The insertion of these advertising inserts within a messaging, which did not use user email addresses, was nevertheless assimilated by the CNIL to the “Advertising prospecting by direct sending”due to the resemblance to real emails, interpretation in accordance with that of the Court of Justice of the European Union (CJEU).

The French authority has judged that the absence of consent to receive advertising contravened the obligations listed within the Code of Posts and Electronic Communications (CPCE). At the same time, she deduced that this breach could be punished in the same way as sending classic advertising.

But, according to Orange, “The alleged facts are not aimed at a violation or a defect in security, but usual market practices that bringing no operations of personal data into its customers into play”. The company judges the sanction “All the more incomprehensible” that she received “No warning” or “Put in notice beforehand”. The decision should also act as a ” warning “ With regard to other operators, said Dutheillet de Lamothe.

7.8 million affected users

The fine imposed on Orange reaches a high amount, which is rare for public sanctions, apart from the convictions of large technology groups. By way of comparison, Google had been sentenced to a fine of the same amount in 2019 for breaches of data protection regulations (GDPR), and the total amount of fines imposed by the CNIL amounted in 2023 to 89 million 'euros.

The decision with regard to Orange has been made with regard to the number of users concerned: according to the CNIL, more than 7.8 million users have seen in their e-mail box no advertisements desired. The control authority also mentioned the existence of a “Financial advantage”which was not detailed, for the company.

CNIL has “Get into account that it is a breach that brought in money, which was valued”explains Louis Dutheillet de Lamothe, evoking the marketing of these advertising banners to advertisers. The fine also takes into account the changes made by Orange: since November 2023, its messaging service has changed the display of advertisements with a new format, which “Now makes it possible to clearly distinguish the announcements from the real emails”points out the CNIL.

For its part, the operator “Calls consultation of his wishes” pour “Clarify in favor of all the interpretation of texts on commonly shared uses and for which only Orange is condemned today”.

The authority also reported a formal notice from the company concerning its management of third -party cookies by the messaging service. The CNIL has discovered that cookies, these markers that allow companies to trace the course of a user on the web, were always sent to the Orange messaging service after the withdrawal of user consent – a practice contrary to the law Data processing and freedoms.

“What the CNIL and the regulation require is that there is no longer to send information” By cookies once the consent is disabled, specifies the secretary general of the CNIL. On this aspect, the company has a period of three months to comply, and will be sanctioned by a penalty of 100,000 euros per day of delay.