Select your nation of interest

Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FRENCH SUPERVISORY AUTHORITY: Advertisements inserted between emails: 50 million euro fine against ORANGE

FRENCH SUPERVISORY AUTHORITY: Advertisements inserted between emails: 50 million euro fine against ORANGE

On November 14, 2024, the CNIL fined the company ORANGE 50 million euros, in particular for having displayed advertisements between the emails of users of its electronic messaging service, without their consent.

The context

ORANGE provides its customers with an electronic messaging service (“Orange Mail”). Following several checks, the CNIL found that the company was displaying, between the emails present in users’ inboxes, advertising announcements in the form of emails.

Based on these findings, the restricted committee – the CNIL body responsible for imposing sanctions – considered that the display of such advertisements required the collection of consent from users of the ORANGE messaging service, pursuant to Article L. 34-5 of the Postal and Electronic Communications Code (CPCE).

Furthermore, the checks carried out by the CNIL also revealed that, when users of the orange.fr website withdrew their consent to the storage and reading of cookies on their terminal, the cookies previously stored continued to be read, in violation of Article 82 of the Data Protection Act.

For these two breaches, the restricted formation ruled against the company ORANGE  :

  • a fine of 50 million euros, made public.
  • an injunction to cease cookie reading operations after withdrawal of the data subject’s consent within three months, accompanied by a penalty payment of 100,000 euros per day of delay.

The amount of this fine takes into account in particular the very high number of people concerned (more than 7.8 million people having seen the advertisements in question displayed in their inbox) as well as the position of the company on the market, which is the leading telecommunications operator in France. The restricted committee also took into account the financial advantage derived from the breach relating to advertisements inserted between emails.   

Penalized breaches

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (article L.34-5 of the CPCE)

The checks carried out by the CNIL have shown that users of ORANGE email accounts were seeing advertising messages in the form of emails displayed in their inboxes, between the emails received and without their consent.

The CNIL, relying on a ruling by the Court of Justice of the European Union (CJEU) of 25 November 2021, considered that these messages promoting services or goods and which are not sent by one user to another user, but displayed in a space normally reserved for private emails by taking the appearance of real emails, constitute direct prospecting by email . Consequently, it is necessary to obtain the consent of the persons concerned in accordance with Article L. 34-5 of the CPCE.

In order to hold the company ORANGE, the email provider, liable, the CNIL noted that it was the company that had control over the advertisements in question, by displaying them and marketing these dedicated spaces to advertisers. It thus distinguished these advertisements from emails sent by an advertiser to a prospect using their email address, over which the email provider has no control and which it simply forwards.

The CNIL nevertheless took into account the fact that the company had stopped carrying out this type of display since November 2023 and that the new advertising format implemented now makes it possible to clearly distinguish advertisements from real emails.

A breach of Article 82 of the Data Protection Act: cookies read despite the withdrawal of consent by the Internet user

The CNIL noted that when a user of the orange.fr website accepted the deposit and reading of cookies on their device, then withdrew their consent, the cookies previously deposited continued to be read by the company ORANGE and its partners.

The CNIL recalled that such a reading operation , which consists of accessing information stored in the user’s terminal, was explicitly prohibited by article 82 of the Data Protection Act, even if this information is not subsequently used.

It also specified that, in order to ensure the effective withdrawal of consent, the company had to implement technical solutions preventing the reading of cookies over which it had control. For cookies placed by its partners, it had to ensure that similar solutions were in place with them.

https://www.cnil.fr/fr/publicites-inserees-entre-les-courriels-sanction-de-50-millions-deuros-orange

Redazione
10 December 2024

Recommended to you

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

6 March, 2025

LATVIAN SUPERVISORY AUTHORITY: A list of processing operations that are not required to be...

6 March, 2025

ICELANDIC SUPERVISORY AUTHORITY: Arion Bank hf.’s processing of personal data for marketing purposes and...

6 March, 2025

GERMAN SUPERVISORY AUTHORITY: BfDI participates in Europe-wide review of the right to erasure

5 March, 2025

DANISH SUPERVISORY AUTHORITY: EDPB launches coordinated action on the right to erasure

5 March, 2025

Vulnerability in Apache Tomcat (AL04/241217/CSIRT-ITA)

4 March, 2025

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

4 March, 2025

CISCO Product Updates (AL01/230112/CSIRT-ITA)

4 March, 2025

Android Security Updates (AL02/250304/CSIRT-ITA)

4 March, 2025

Vulnerability in Progress WhatsUp Gold (AL02/240627/CSIRT-ITA) – Update (AL02/240627/CSIRT-ITA)

4 March, 2025

ManageEngine: vulnerability fixed (AL01/250304/CSIRT-ITA)

4 March, 2025

Mautic: Public PoC for CVE-2024-47051 Exploitation (AL02/250303/CSIRT-ITA)

3 March, 2025

CANADIAN SUPERVISORY AUTHORITY: seeks Federal Court order requiring Pornhub operator to comply with Canadian...

3 March, 2025

Security Updates for Synology Products (AL01/250303/CSIRT-ITA)

3 March, 2025

7-Zip vulnerability fixed (AL02/250122/CSIRT-ITA)

28 February, 2025

Vulnerability in PostgreSQL (AL01/250214/CSIRT-ITA)

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: Fetus Cemetery: Sanctioned the Municipality of Brescia

28 February, 2025

 ITALIAN SUPERVISORY AUTHORITY: a credit rehabilitation company fined for 70 thousand euros

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: Fetus Cemetery: Sanctioned the Municipality of Brescia

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: ok to telemedicine with more guarantees for personal data

28 February, 2025

Advanced Research