Orange Fined €50 Million for GDPR Violations in France
France’s data privacy regulator, CNIL, has imposed a €50 million fine on Orange S.A., the country’s largest internet provider, for sending unsolicited advertisements to customers. The regulator found that Orange displayed ads in the form of emails among legitimate messages in users’ inboxes without obtaining proper consent. This practice violates the French Post and Electronic Communications Code (CPCE), which mandates user consent for such advertising.
Additionally, CNIL reported that Orange continued to use tracking cookies to monitor users’ online activities even after they had withdrawn their consent. The regulator emphasized that the company should have implemented technical measures to prevent the reading of cookies under its control. Furthermore, Orange was expected to ensure that its partners adhered to the same standards regarding user consent and data protection.
In response to the fine, an Orange spokesperson characterized the penalty as “disproportionate” and argued that the company’s practices aligned with common market standards. The spokesperson also stated that the regulator did not provide any prior warning to cease the practices before issuing the fine. Orange plans to appeal the decision in court, maintaining that no customer data was used without prior consent.
The significant fine reflects Orange’s status as the leading telecommunications operator in France. This case underscores the importance of compliance with data protection regulations, particularly in the context of GDPR, as companies face increasing scrutiny over their handling of user data and consent.
