The French data protection authority (known as “the CNIL”) has issued a €380,000 fine against Doctissimo, a website offering articles, discussion forums, and quizzes—some related to people’s health.
This article will explore what went wrong for Doctissimo, focusing on the company’s alleged violations around cookies, storage limitation, joint controllership, data security, and special category data.
Of the €380,000 total fine, €100,000 was imposed for violating Article 82 of the French Data Protection Act, which contains the rules on cookies (derived from the EU’s ePrivacy Directive).
France has a history of strong cookie enforcement and has recently hit companies such as Google, Microsoft, and TikTok with large cookie fines.
Doctissimo allegedly made two cookie errors on its website:
- Setting cookies on visitors’ devices as soon as they loaded the website (i.e., without consent).
- Setting two non-essential cookies even after visitors chose “Refuse all” on the website’s cookie banner.
This violation reportedly affected “hundreds of millions” of users.
Key takeaway: Having a cookie consent mechanism is essential. But you must follow through on people’s choices. Don’t set any non-essential cookies unless the user clicks “accept”.
The CNIL found a violation of Article 5 (1) (e) of the General Data Protection Regulation (GDPR), which provides the principle of “storage limitation”.
Under this GDPR provision, you must not keep personal data for longer than necessary.
The Doctissimo website features quizzes implemented via web forms. Once complete, a user can view their results and share them on social media. Doctissimo also used data from the forms for statistical purposes.
Doctissimo stored data collected from these forms for 12 months, and then later for three months. The CNIL found that both storage periods were excessive.
The CNIL also noted that Doctissimo retained account data even after three years of inactivity, a storage period that the regulator also deemed to be longer than necessary.
Under Article 26 of the GDPR, controllers who jointly process personal data with other controllers (“joint controllers”) must have a formal document in place setting out which party is responsible for which aspects of the processing.
The CNIL found that Doctissimo was in a joint controller relationship with advertising companies but did not have any such joint controller document.
The CNIL found that Doctissimo had breached Article 32 GDPR, which requires controllers and processors to implement reasonable technical and organisational measures to keep personal data secure.
The regulator noted that Doctissimo’s website still used the outdated HTTP protocol until 2019 (as opposed to HTTPS, a newer and more secure version of the protocol). This exposed data transmitted to the website to the risk of interception.
The CNIL also found that Doctissimo kept passwords in an “insufficiently secure format”, despite each user’s account containing information about their full name, date of birth, email address, and gender.
Special category data
Article 9 of the GDPR provides rules on processing “special category data”, which includes information about a person’s health.
Among other requirements, a controller processing special category data requires two legal bases for processing: One from Article 6 (a prerequisite for processing any personal data) and one from Article 9 (a set of legal bases applicable only to special category data).
The CNIL found that Doctissimo failed to identify a legal basis under Article 9 of the GDPR. The regulator implies that only the “explicit consent” basis would have been appropriate and that Doctissimo failed to fulfil the requirements necessary under this legal basis.
The CNIL states that Doctimissimo should have provided a “special warning or consenting mechanism on its online tests, to ensure that the users were aware of the processing of their health data… and gave their consent”.
The fact that Doctissimo’s alleged violations involve health data clearly made the CNIL’s enforcement more urgent and severe.