CNIL Fines Orange 50 Million Euros for Unauthorised Email Ads

The French Data Protection Authority (CNIL) recently imposed a significant fine of €50 million on ORANGE, France's leading telecommunications company. The penalty stems from two major breaches of data protection regulations: displaying unauthorised advertisements within users' email inboxes and failing to halt cookie usage after consent was withdrawn. 

What Happened?

Unauthorised Ads in Emails

ORANGE was found to have inserted advertisements into its users’ email inboxes through its “Mail Orange” service. These ads mimicked the appearance of legitimate emails, blending seamlessly with genuine messages. According to CNIL, this constituted direct email marketing, which under French law (Article L. 34-5 of the French Post and Electronic Communications Code) requires prior user consent.

While ORANGE ceased this practice in November 2023 and updated its advertising strategy to clearly distinguish promotional content from regular emails, the CNIL still deemed the past actions a serious breach, affecting over 7.8 million users.

Cookie Mismanagement

In a separate violation, ORANGE continued to read cookies on users’ devices even after they had explicitly withdrawn consent. This practice contravened Article 82 of the French Data Protection Act, which prohibits accessing data stored on users’ devices without valid consent.

CNIL emphasised that effective consent management requires robust technical measures to block cookie reading upon withdrawal. ORANGE’s failure to ensure compliance, both for its operations and those of its partners, further compounded the issue.

For these violations, CNIL imposed the following:

• A €50 million fine, citing the vast number of affected users and ORANGE’s market dominance.

• An order to halt unauthorised cookie usage within three months, backed by a daily penalty of €100,000 for non-compliance.

Key Takeaways for Businesses

Following this case, here is a breakdown of the key points that we can learn from this:

1. User Consent is Non-Negotiable

Whether using email marketing or cookies, explicit user consent is paramount. Businesses must ensure that all promotional activities and data collection practices comply with local and international regulations.

2. Transparency Builds Trust

Misleading users by disguising advertisements as legitimate emails undermines transparency and erodes trust. Clear labelling and distinct formatting are critical to maintaining ethical marketing practices.

3. Strengthen Consent Withdrawal Mechanisms

Consent is not a one-time event. Companies must implement systems that allow users to withdraw consent easily and ensure that all associated activities cease immediately. This includes working closely with partners to align compliance efforts.

4. Proactive Compliance Reduces Risk

Waiting for regulatory scrutiny can be costly. Regular audits, staff training, and staying updated on evolving regulations can help businesses identify and address vulnerabilities before they escalate.

For businesses, by prioritising transparency, consent management, and proactive adherence to privacy laws, companies can avoid costly penalties and create stronger relationships with their users.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.