Orange Fined €50 Million for Slipping Ads into User Emails Without Consent

France’s telecommunications giant, Orange, is facing a €50 million fine for embedding advertisements within users’ email inboxes—a move deemed a serious violation of privacy rights by the French Data Protection Authority (CNIL). The ruling underscores the growing intolerance for digital marketing practices that bypass user consent.

If you used Orange’s email service, Mail Orange, you may have noticed something odd—ads masquerading as emails sitting snugly among your personal messages. CNIL investigations found that these weren’t just intrusive; they were illegal. Under Article L. 34-5 of the French Post and Electronic Communications Code (CPCE), sending marketing emails directly to users requires their explicit consent.

Orange not only failed to get that consent but also took charge of the entire operation, selling and displaying ad slots to advertisers. Over 7.8 million users were subjected to these camouflaged ads, which blurred the line between private correspondence and promotional content.

To its credit, Orange halted the practice in November 2023 and introduced measures to make ads clearly distinguishable. But CNIL wasn’t letting bygones be bygones, citing the financial advantage Orange gained from this invasive approach.

Cookies That Didn’t Quit

The trouble didn’t end with inbox ads. The CNIL also uncovered that Orange violated Article 82 of the French Data Protection Act by continuing to read cookies on users’ devices even after they had withdrawn their consent.

Here’s how it played out: Users visiting the Orange website were asked for cookie consent. If they later changed their minds and opted out, the cookies already stored on their devices didn’t follow suit—they kept being accessed. CNIL stressed that such practices not only breach the law but also undermine users’ trust in how their data is handled.

CNIL’s ruling wasn’t just a slap on the wrist—it was a wake-up call. Orange was fined €50 million, a figure reflecting:

• The massive scale of the breach, impacting millions of users.
• The company’s dominance as a telecom giant.
• The profits reaped from these dubious practices.

But that’s not all. CNIL gave Orange three months to ensure cookies stop working the moment a user withdraws consent. Failure to comply will cost Orange €100,000 per day—a steep penalty designed to enforce immediate action.

A Reminder for All Businesses

Orange’s case is more than a headline; it’s a spotlight on the stakes of digital privacy. For businesses operating in the EU, this serves as a powerful reminder that cutting corners on compliance can lead to seismic penalties and damaged reputations. Regulators like CNIL are making it clear that user consent isn’t negotiable—it’s fundamental.

As data privacy laws continue to evolve, organizations must not only adapt but actively prioritize transparent and ethical practices. Those who fail to do so will find the cost of non-compliance far outweighs the revenue such shortcuts might generate.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.