The CNIL Strikes Hard Against Orange with a EUR50 Million Fine
The CNIL has imposed a EUR50 million fine on Orange SA (Orange), a leading French company in the telecommunications sector, for non-compliant practices relating to direct marketing and cookie management. This fine is in alignment with the French supervisory authority’s strict policy in these areas.
You will find below our insight:
The Breaches Committed by Orange
Advertisements disguised as emails: Orange inserted advertising messages into its users’ inboxes, making them appear as private emails, without obtaining the users’ consent. This practice is in breach of Article L. 34-5 of the French Postal and Electronic Communications Code (hereinafter “CPCE”).
Failure to take into account the withdrawal of consent for cookies: On the orange.fr website, cookies continued to be read and transmitted to Orange and its partners even after users withdrew their consent, in breach of Article 82 of the French Data Protection Act (hereinafter “FDPA”).
The Fine Imposed by the CNIL
The CNIL issued a EUR50 million fine against Orange, considering the following factors:
- the severity of the breaches, in particular given the intrusive nature of the advertising messages;
- the number of affected users, which exceeded 7.89 million;
- Orange's leading position in the market;
- Orange’s negligence, as the rules on direct marketing and cookie management are well-established by the CNIL; and
- the financial benefits Orange gained from these practices.
Although the CNIL acknowledged Orange’s efforts to fix its non-compliances relating to direct marketing, the CNIL ordered Orange to bring its cookie practices into compliance with Article 82 of the FDPA within three months, with a penalty of EUR100,000 per day of delay.
Key Takeaways
Proportionality of the fine: This fine represents 0.11% of Orange’s turnover, which makes it significant compared to past CNIL sanctions. For instance, the 2021 fine issued against Meta Ireland for breaching Article 82 of the FDPA represented 0.07% of the company’s turnover. In 2023, the CNIL fined Canal+ with an amount equivalent to 0.032% of its turnover for various breaches, including a breach of Article L. 34-5 of the CPCE.
Direct Marketing: While the CNIL adopts a broad interpretation of Article L. 34-5 of the CPCE in light of an ECJ ruling from 25 November 20211 (stating that simply using an email inbox to display a marketing message can fall within the scope of this Article), it is the format of the messages—appearing as genuine emails—that is primarily criticized. The CNIL’s reasoning in this decision does not apply to standard practices such as banner ads or pop-ups, even when displayed on a messaging platform, provided they remain outside the email list.
Data Controller and Consent: The CNIL ruled that the responsibility for obtaining user consent for advertising messages rested with Orange, as the email service provider, rather than the advertiser. This was due to (i) Orange’s active role in displaying the messages and (ii) its position as the only entity in direct contact with users. However, the CNIL did not clarify whether this consent should have been a standard consent or a “partner-specific” consent.
CNIL and Cookies: In this decision, the CNIL provides concrete recommendations on the solutions to implement in order to ensure the effective withdrawal of consent for cookie reading/writing (§97). It also emphasizes that website publishers must ensure their partners’ compliance with the GDPR in their use of third-party cookies (particularly in taking into account the withdrawal of users’ consent).
Special thanks to our trainee Tatiana El Hajj.
1ECJ, Third Chamber, November 25, 202, StWL Städtische Werke Lauf a.d. Pegnitz GmbH, Case C-102/20
