Withdrawal of consent: The underlying question in the CNIL's Orange decision

In December, the French data protection authority (DPA), the CNIL, fined Orange €50 million, mainly for displaying advertisements in its email service without obtaining user consent.

‍

Alongside this reason, the DPA also highlighted another violation by Orange concerning cookies being read despite the withdrawal of consent. This is the issue I want to focus on today.

‍

Understanding CNIL's sanction against Orange (December 2024)

While the CNIL's December 2024 sanction against Orange primarily underscores a breach in the operator's email system (an issue that has already been widely discussed and documented) we will not dwell on this aspect here. Instead, we want to focus on another violation identified by CNIL in the second part of its press release related to cookies set by the company:

‍

The CNIL noticed that when a user of the orange.fr website accepted the deposit and reading of cookies on their device, and then withdrew their consent, the cookies previously deposited continued to be read by ORANGE and its partners.

The CNIL pointed out that such a reading operation, which consists in accessing data stored in the user's terminal, is explicitly prohibited by Article 82 of the French Data Protection Act, even if this data is not subsequently used.

It also specified that, to guarantee the effective withdrawal of consent, the company had to implement technical solutions preventing the reading of cookies under its control. In the case of cookies placed by its partners, the company had to ensure that similar solutions were implemented.

- Commission nationale de l'informatique et des libertés (Source: CNIL, December 10, 2024)

‍

Essentially, the CNIL observed that Orange and its partners continued to read cookies after a user (who had previously consented to cookies being dropped and read on their device) had withdrawn their consent.

‍

This is prohibited, even if the data is not actually used.

‍

The question that arises, therefore, is how the company could have ensured the effective withdrawal of consent.

‍

How to ensure compliance with user consent withdrawal for cookies and trackers?

The CNIL provides some relevant information in that regard in its press release:

‍

(...) to guarantee the effective withdrawal of consent, the company had to implement technical solutions preventing the reading of cookies under its control. In the case of cookies placed by its partners, the company had to ensure that similar solutions were implemented.

- Commission nationale de l'informatique et des libertés (Source: CNIL, December 10, 2024)

‍

What kind of “technical solutions” can companies implement to ensure control over cookies? The question is complex and requires an ecosystem of solutions and best practices, starting with our Advanced Compliance Monitoring (ACM) solution.

‍

The role of ACM in managing cookies post-consent

Our Advanced Compliance Monitoring (ACM) solution helps companies better understand and control the use of trackers on their digital properties. By simulating user behavior, ACM captures interactions with trackers throughout navigation and highlights:

‍

• Active trackers before, during, or after consent/refusal;
• Scenarios where trackers remain despite a withdrawal of consent.

‍

This granular data, available through indicators named User behaviour (which aggregate behavioral values related to interactions) and Ran scenarios (which detail scenarios in which a tracker was detected), allows companies to quickly identify compliance issues and provides a granular view of the impact of their consent processes.

‍

Our external DPO, Sebastien Gantou, highlights the usefulness of ACM as part of a global compliance strategy:

‍

‍The digital marketing ecosystem relies on real-time interactions. Over the past 5 years, the TCF has brought publishers and adtech together to validate their right to process, manage their actions, and demonstrate compliance through CMPs like Didomi.

Traditional approaches - compliance, audits, or governance - provide temporary solutions but often prove costly at scale. While human expertise remains essential for handling specific cases, it becomes far more effective when supported by the right tools.

We designed ACM to efficiently monitor the compliance of your digital assets. It delivers actionable and enforceable controls while simplifying and optimizing the work of your teams.

- Sebastien Gantou, Data Protection Officer at Didomi & CEO at Digital DPO

‍

Note on current limitations and areas for improvement: It is important to note that while ACM currently identifies whether trackers persist or interact with a user’s device based on expressed choices, the tool does not yet store the granular types of interaction (creation, reading, modification, deletion) that would allow for even more detailed analysis.

‍

Our Product Manager, Teodora Tanase, gives us a glimpse of the ACM roadmap and ongoing projects at Didomi:

‍

Looking ahead, Didomi is committed to expanding Advanced Compliance Monitoring (ACM) to help businesses like Orange avoid compliance pitfalls.

Our upcoming enhancements include advanced alerting mechanisms for granular property-level monitoring, robust data export capabilities for seamless analysis, and an extensive website scanning feature to ensure full visibility of compliance risks.

These innovations aim to provide companies with the tools they need to proactively manage compliance, reduce exposure to fines, and build trust with their users.

- Teodora Tanase, Product Manager at Didomi

‍

As it stands, ACM offers powerful mapping and diagnostic capabilities, which can serve as a foundation for compliance and dialogue with third-party partners.

‍

{{learn-more-about-didomi's-advanced-compliance-monitoring}}

‍

Adopting an integrated approach to ensure compliance

Another challenge highlighted by the Orange case lies in the management of trackers dropped by third parties. While it is possible to block the reading of internal trackers after consent withdrawal, ensuring that third parties comply with the same rules requires additional oversight.

‍

By detecting whether a tracker is still active despite a refusal, Advanced Compliance Monitoring (ACM) can provide valuable insights, but it is also imperative to collaborate with partners to align their practices with regulatory requirements. In summary, ensuring compliance with consent withdrawal requirements involves:

‍

• Removing or blocking internal trackers through technical solutions such as a tag management system (e.g., GTM);
• Continuous monitoring using tools like ACM to identify non-compliance;
• Proactive collaboration with partners to verify their compliance.

‍

To go further, a centralized tracker database and advanced interaction analysis could further enhance companies’ ability to demonstrate compliance—not only for data protection authorities, but also to preserve user trust.

‍

For more information, visit our ACM page and follow me on LinkedIn to stay updated on industry news and opportunities.