Orange Squeezed for EUR50 Million Over Privacy Breach | France

On 14 November 2024, the French Data Protection Authority (Commission Nationale Informatique & Libertés, CNIL) fined Orange, the biggest telecommunications operator in France, EUR50 million for displaying to its customers unsolicited adverts resembling emails. The CNIL considers that fake advertisement emails should be treated as advertisement emails that require the consent of users.

Orange included advertisements within the genuine emails received by its email account holders without their consent. These ads had the appearance of legitimate emails, distinguished only by a slightly greyed background, the label “advertisement” instead of the timestamp on the right of the email, and a small cross to delete the message instead of the usual checkbox to select emails. The sender’s name and the subject line were crafted to resemble authentic emails.

Orange argued that, unlike advertisements sent by email, these “fake advertising emails” did not require user consent as these ads were not “sent” to users’ email addresses but merely displayed in their inboxes. As a result, Orange argued that Article L.34-5 of the French Postal and Electronic Communications Code (CPCE), transposing Article 13 of the E-Privacy Directive, was not applicable. This article requires a person’s consent when direct marketing is carried out using automated electronic communication systems or email, and involves using a person’s contact details.

The CNIL rejected Orange’s arguments, ruling that users’ consent is required for these “inbox advertising emails”.

The CNIL relied on a decision from the European Court of Justice (ECJ), which had ruled that the display of advertising messages in email form in a person’s inbox constitutes the use of electronic mail for direct marketing purposes under Article 13 of the E-Privacy Directive (ECJ, Case C-102/20, 25 November 2021). Although Article L34.5 was originally intended to address messages sent to a recipient’s phone number or email address, the CNIL emphasised the need to account for technological advancements and emerging marketing techniques.Based on this, the CNIL considered that, according to Article L34.5 of the CPCE, those inbox advertising emails should require users’ consent.

Considering that Orange had control of the advertisements in question, by displaying them and marketing these dedicated spaces to advertisers, the CNIL held Orange accountable for this violation of Article L34.5 of the CEPC despite being the service provider rather than the advertiser. It thus distinguished this situation from cases where advertisers send emails directly to users, with no involvement from the email service provider beyond routing the message.

Here, the CNIL noted that Orange does not simply ensure the routing of a message, but sells ad space to advertisers, determines its placement at its discretion, and controls its display within users’ mailboxes. It is the only entity in direct contact with users, meaning the only one in a position to obtain their consent.

Orange was hit with a EUR50 million fine, the biggest imposed by the CNIL in 2024.

Additionally, for a separate violation involving the use of cookies despite users withdrawing consent while browsing orange.fr, the privacy watchdog also ordered Orange to cease this practice within three months. Non-compliance would result in a penalty of EUR100,000 per day.

In determining the fine’s amount, the CNIL considered the intrusive nature of the practice, the significant number of users affected (7.89 million), the fact that rules governing commercial prospecting had long been established and should be known by a company like Orange, and the financial gain derived from these violations.

The EUR50 million fine is particularly notable for two reasons. First, it ranks among the CNIL’s most significant penalties, alongside those imposed on GAFAM companies, such as the EUR150 million fine against Google in 2021 and the EUR60 million fines against Microsoft and Facebook. Second, the fine represents 0.11% of Orange’s annual revenue, indicating that the French privacy watchdog is taking a stricter approach to penalising large corporations. While the CNIL can indeed impose penalties up to 2% of a company’s global turnover (or 4% for severe breaches), fines have historically been lower – eg, Microsoft’s EUR60 million fine in 2022 represented just 0.03% of its turnover.

Orange has announced its intention to appeal the decision to the French Conseil d’État, arguing that the penalty is “disproportionate”, particularly as it had received no prior warning or formal notice.

While the appeal’s outcome remains uncertain, this case underscores the CNIL’s rigorous enforcement of consent requirements in digital advertising. It also serves as a clear warning to other email service providers about the importance of securing explicit user consent when legally required.