Orange is facing a €50 million fine from the CNIL for unauthorized advertising practices involving email-like inserts in its messaging service without user consent. The company plans to appeal the ruling, maintaining that it did not violate data security. Over 7.8 million users were affected, and the CNIL has mandated that Orange improve compliance regarding third-party cookies, or face additional penalties. The telecom giant has since revised its ad format to distinguish ads from real emails.
Advertising inserts that mimic emails have drawn significant scrutiny for Orange, as the company faces a hefty penalty from the CNIL. The privacy watchdog, responsible for overseeing personal data usage in advertising, has imposed a fine of 50 million euros on the telecom giant for what it deems unauthorized advertising practices.
Details of the CNIL’s Decision
According to Louis Dutheillet de Lamothe, the Secretary General of the National Commission on Informatics and Liberties, Orange utilized its messaging service to insert advertisements that closely resembled genuine emails. This practice was classified as sending advertising without user consent. In response, Orange management acknowledged the CNIL’s ruling but contested the severity of the fine, arguing that the practices in question did not constitute a breach of security or misuse of personal data. They expressed their intention to appeal the decision before the Council of State and called for a dialogue with relevant authorities.
Impact on Users and Future Compliance
The CNIL’s ruling is particularly notable given that over 7.8 million users were reportedly exposed to these unsolicited advertisements. The regulatory body pointed out that Orange likely benefited financially from this breach, although specific details about that advantage were not disclosed. In light of the situation, Orange has made adjustments to its messaging service, implementing a new advertisement format that clearly differentiates ads from actual emails since November 2023.
Moreover, the CNIL has raised concerns regarding Orange’s handling of third-party cookies, revealing that tracking cookies continued to be sent even after users had opted out. This practice contravenes data protection regulations, prompting the CNIL to require compliance within three months. Failure to do so could result in a daily fine of 100,000 euros.