The French data protection authority (CNIL) recently imposed
a record fine of €50 million on the French telecommunications giant, Orange. This unprecedented penalty follows practices deemed to violate regulations concerning the distribution of advertising via email services.
Hidden advertisements in private emails
The case began with the discovery of advertising messages disguised as emails sent to Orange email users. According to the CNIL (French Data Protection Authority), these emails were designed to look like legitimate emails, thus deceiving their recipients. Most users had not given their explicit consent to receive this type of content, which constitutes a clear violation of personal data protection rules.
This practice significantly violates the legal framework regarding direct marketing by email, particularly after the user has withdrawn their initial consent. The French Data Protection Act (Loi Informatique et Libertés), reinforced by European regulations such as the GDPR, requires strict respect for users’ choices regarding the processing of their personal data. This incident highlights the importance of respecting users’ explicit consent.
A serious breach justifying a heavy fine
According to the CNIL’s observations, the practice of sending newsletters disguised as legitimate emails persisted long enough to affect more than 7.8 million users. This blatant abuse prompted the authority to impose a particularly high fine of €50 million . This amount reflects not only the seriousness of the breach but also Orange’s size and dominant position in the French telecommunications market.
Louis Dutheillet de Lamothe, Secretary General of the CNIL, emphasized that this decision serves as a strong warning to all industry players. The aim is to discourage other companies that are currently using or considering using similar methods to profit by disregarding personal data regulations.
Orange disputes the severity of the sanction
Faced with this situation, Orange filed a challenge. The operator argues that it did not violate any security standards or use personal data illegally, but simply “complied with standard market practices.” However, this defense was not accepted by the CNIL (French Data Protection Authority). Orange now plans to appeal to the Council of State, arguing that the penalty was disproportionate and also alleging a lack of prior formal notice.
According to the company, there was no formal warning regarding the alleged misconduct before the penalty was imposed. In response, the operator is seeking to initiate multi-stakeholder discussions to clarify the legal interpretations of these practices and prevent similar penalties from occurring again in the future.
The use of cookies was also singled out.
Beyond the unjustified advertising, the CNIL also noted a significant violation concerning the use of cookies in Orange’s digital services. Even after users withdrew their consent, cookies continued to be used to collect information, explicitly contravening Article 82 of the French Data Protection Act.
Companies using systems that continue to process user information without consent directly violate internet users’ rights. This type of practice significantly increases the risk of undue surveillance and misuse of personal data, requiring immediate corrective action. Consequently, Orange has a limited period of three months to comply, failing which it will be subject to a penalty of €100,000 per day of delay.
By comparison, Google also faced a similar fine in 2019 for data protection violations, totaling €89 million for various breaches identified that year. These precedents clearly demonstrate that the CNIL intends to rigorously enforce standards while ensuring transparency and digital security.