The CNIL slaps the fingers of the Doctossimo health site, which has not complied with the GDPR or the obligations related to the use of cookies. And imposes a fine of 380,000 euros, which seems very low given the alleged facts …

The CNIL slaps the fingers of the Doctossimo health site

The CNIL slaps the fingers of the Doctossimo health site, which has not complied with the GDPR or the obligations related to the use of cookies. And imposes a fine of 380,000 euros, which seems very low given the alleged facts …

The National Commission for Computing and Liberties (CNIL) has struck again. And this time, it is Doctossimo, the Reworld Media site which offers articles, tests, quizzes and discussion forums related to health and well-being for the general public, which is in its line of sight. In a press release published on May 17, 2023, the digital policeman announces that he has sentenced the media to a fine of 380,000 euros for breaches of the General Data Protection Regulations (GDPR) – up to 280,000 euros – and obligations relating to cookies – up to 100,000 euros. These offenses concern “the data retention periods, the collection of health data via online tests, the security of data as well as the procedures for depositing cookies on the user’s terminal”. A conviction following a complaint filed in 2020 by the NGO Privacy International and which is particularly worrying, because this processing of sensitive data directly concerns millions of people in France.

Doctossimo fine: major breaches of the GDPR

Privaty International accused Doctissimo of systematic sharing of personal data with a large number of third parties”often for advertising purposes, despite their sensitive nature. “If you answer a test on depression or consult information on pregnancy, this data will be able to be centralized by these partners via their trackers in order to build a detailed profile which will be sold to publishers and allow advertising to be sent , but potentially end up elsewhere, in credit rating agencies for example” explained the NGO. It had also noted that the answers of Internet users were sent without protection to the technical service provider responsible for the test, even though they also included medical information.

Several infringements were noted by the digital policeman, including four vis-à-vis the GDPR and one to the Data Protection Act – and more specifically to article 82. First of all, he judged the retention period data related to health tests carried out by Internet users – 24 months – “excessive”. In addition, the data of users whose account had been inactive for more than three years were also kept, without a procedure for anonymizing the information. In addition, the site “did not provide any specific warning or mechanism for obtaining consent on its online tests, in order to ensure that the user was aware and consented to the processing of his health data”indicates the CNIL.

Doctossimo is also found guilty of having used the personal data of its users in collaboration with other companies, in particular for advertising purposes, without a contractual framework. Another problem: until 2019, data, including passwords, were not stored securely since the site used the “http”(Hypertext Transfer Protocol ), making the data vulnerable to computer attacks and leaks. Finally, the CNIL noted the deposit of an advertising cookie on the user’s terminal without his consent upon arrival on the site, and two others after the Internet user had clicked on the “Refuse all” button.

Doctissimo fine: a derisory sanction?

Doctossimo was sentenced to a total fine of 380,000 euros, which takes into account “the nature and seriousness of the breaches, the categories of personal data (health data) and the number of people concerned as well as the financial situation of the company”in the same way “the fact that, given its nature and its sector of activity, i.e. the distribution of digital content relating to health, the company should have shown particular vigilance with regard to the collection of consent of individuals to collect their health data.”

Problem: the amount of the fine withheld appears to be somewhat out of step with the faults committed by the platform – especially since the health data collected belongs to the category of sensitive personal data – and the high frequency of use of the platform, which account “hundreds of millions” of users. Above all, Doctissimo has belonged to the Reworld Media group since June 2022, which has produced a turnover of 505.8 million euros in 2022. At the material time, it belonged to the TF1 group, whose annual turnover in 2021 was more than 2.4 billion euros. It remains to be judged whether the fine imposed is “both dissuasive and proportionate“.

ccn5