Three days ago, on December 10, 2024, France's data protection authority (CNIL) imposed a substantial fine of €50 million on Orange, France's leading telecommunications operator, for serious privacy violations related to its email service practices and cookie management.

The enforcement action stems from multiple investigations that revealed Orange had been inserting advertisement emails among genuine messages in users' inboxes without obtaining proper consent. According to CNIL's findings, this practice affected more than 7.8 million users of Orange's email service.

The decision follows a November 14, 2024 ruling by CNIL's restricted committee, which determined that Orange violated Article L. 34-5 of the French Post and Electronic Communications Code (CPCE). The committee based its assessment on a November 25, 2021 judgment by the Court of Justice of the European Union, which classified such advertising practices as direct marketing requiring explicit user consent.

A technical analysis of Orange's practices revealed that the company maintained complete control over the advertising content, actively managing the display and sale of dedicated advertising spaces to third parties. CNIL distinguished this practice from standard email marketing, where service providers simply transmit messages between senders and recipients.

The investigation uncovered an additional privacy violation regarding cookie management on Orange's website. When users withdrew their consent for cookies on orange.fr, previously stored tracking cookies continued to be read by both Orange and its advertising partners, contradicting Article 82 of the French Data Protection Act.

The magnitude of the fine reflects several aggravating factors. CNIL's restricted committee considered Orange's dominant market position as France's primary telecommunications provider and calculated the financial advantages the company derived from these unauthorized advertising practices. The decision mandates Orange to cease reading cookies after consent withdrawal within three months, with additional daily penalties of €100,000 for non-compliance.

Orange has already implemented certain remedial measures. According to CNIL's documentation, the company discontinued its previous advertising display method in November 2023, replacing it with a new system that clearly differentiates advertisements from legitimate emails.

The enforcement action highlights the increasing scrutiny of digital advertising practices by European privacy regulators. The CNIL emphasized that accessing data stored on users' devices without consent violates privacy regulations, regardless of whether that data is subsequently utilized.

For cookie management compliance, CNIL specified that companies must implement technical solutions preventing cookie reading after consent withdrawal. This requirement extends to third-party cookies, where the primary website operator must ensure partner compliance with consent withdrawal mechanisms.

The decision represents one of several recent privacy enforcement actions by CNIL. In the past three months, the authority has taken action against multiple companies, including a €250,000 fine against Cosmospace and a €150,000 penalty for Telemaque in October 2024, as well as an €800,000 fine imposed on Cegedim Santé in September 2024.

This enforcement action illustrates the complex intersection of email service provision, digital advertising, and privacy rights in the European context. The case establishes important precedents regarding the classification of in-inbox advertising and the technical requirements for proper cookie consent management.

The comprehensive penalty package includes both immediate financial sanctions and ongoing compliance requirements, demonstrating CNIL's commitment to enforcing digital privacy standards across major technology services. The decision provides detailed technical guidance for other companies operating similar services within the European Union's privacy framework.