Advertisements inserted among emails: ORANGE fined €50 million

10 December 2024

On November 14, 2024, the French Data Protection Authority (CNIL) fined the French telecommunications operator ORANGE 50 million euros, notably for displaying advertisements between the e-mails of users of its email service without their consent.

Background

ORANGE provides its customers with an electronic messaging service ("Mail Orange"). Following several investigations, the CNIL found that the company was displaying advertisements in the form of emails among genuine emails in its users' inboxes.

On the basis of these findings, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the display of such advertisements required the consent of ORANGE messaging service users, pursuant to Article L. 34-5 of the French Post and Electronic Communications Code (CPCE).

The CNIL's investigations also revealed that, when users of the orange.fr website withdrew their consent to the storage and reading of cookies on their devices, previously stored cookies continued to be read, in violation of Article 82 of the French Data Protection Act.

For these two breaches, the restricted committee decided to impose a sanction on ORANGE, which is composed of:

  • an administrative fine of50 million euros, which was made public.
  • an order to stop reading cookies after the withdrawal of consent by the person concerned, within three months, with a fine of 100,000 euros per day overdue.

The amount of this fine was decided on the basis of the very high number of people concerned (over 7.8 million people having seen the advertisements in question in their inboxes), as well as the company's market position as France's leading telecommunications operator. The restricted committee also took into account the financial advantage derived from the breach relating to advertisements inserted among emails.   

Sanctioned breaches

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the CPCE)

Investigations carried out by the CNIL revealed that users of ORANGE email accounts were seeing advertising messages in the form of emails displayed in their inboxes among incoming emails, without their consent.

Visual illustration: promotional messages are displayed in a space normally reserved for private emails, taking on the appearance of real emails

Based on a judgment by the Court of Justice of the European Union (CJEU) of November 25, 2021, the CNIL considered that these messages promoting services or goods, which were not sent by one user to another, but posted in a space normally reserved for private emails and which looked like genuine e-mails, constituted direct prospecting by email. Consequently, it was necessary to obtain the consent of the persons concerned in application of Article L. 34-5 of the CPCE.

In order to decide the liability of ORANGE, which is the email service provider, the CNIL noted that the company had control over the advertisements in question, by displaying and selling these dedicated spaces to advertisers. Therefore, the restricted committee made a difference between these advertisements and emails sent by an advertiser to prospects using their email addresses, over which the messaging provider has no control and which it merely forwards.

The CNIL nevertheless took into account the fact that the company had ceased to use this type of display since November 2023 and that the new advertising display implemented makes it possible to clearly distinguish ads from genuine emails.

Failure to comply with Article 82 of the French Data Protection Act: cookies read in spite of user consent withdrawal

The CNIL noticed that when a user of the orange.fr website accepted the deposit and reading of cookies on their device, and then withdrew their consent, the cookies previously deposited continued to be read by ORANGE and its partners.

The CNIL pointed out that such a reading operation, which consists in accessing data stored in the user's terminal, is explicitly prohibited by Article 82 of the French Data Protection Act, even if this data is not subsequently used.

It also specified that, to guarantee the effective withdrawal of consent, the company had to implement technical solutions preventing the reading of cookies under its control. In the case of cookies placed by its partners, the company had to ensure that similar solutions were implemented.