In a significant ruling, the French Data Protection Authority (CNIL) has imposed a hefty fine of 50 million euros on the French telecom giant Orange for displaying advertisements in users’ email inboxes without obtaining their explicit consent. Specifically, Orange was embedding these ads within its Mail Orange service, leading them to appear as genuine emails among personal messages. This deceptive practice contravenes the French Post and Electronic Communications Code, which unambiguously requires user consent for such advertisements. The collective impact of this non-compliant behavior was profound, affecting over 7.8 million individuals who use Orange’s services and highlighting the company’s significant market position in France.
Moreover, Orange was found to be continuing to read cookies on users’ devices, despite users withdrawing their consent on the orange.fr website. This breach compounds the issue, reflecting a disregard for user preferences and established data protection laws. According to CNIL, Orange will be required to cease reading user cookies without consent within three months from the ruling. Failure to comply with this directive would result in Orange facing additional penalties amounting to 100,000 euros for each day it remains in breach. This ruling underscores the robust nature of the GDPR and the significant consequences companies face for failing to comply with its stringent requirements.
The CNIL’s decision aligns with previous European court rulings that categorize unsolicited advertisements in email inboxes as spam. This case reinforces the necessity for service providers to obtain explicit user consent before embedding advertisements within email services. The fine imposed on Orange serves as a stark reminder to all companies operating within the EU about the critical importance of maintaining user consent and complying with privacy regulations. These rulings reiterate the value of data privacy rights and illustrate the severe repercussions for failing to uphold these principles. With GDPR guidelines continuing to evolve, staying compliant is not only a legal obligation but also an ethical duty to protect user privacy.