Complaint against Doctissimo
This legal challenge relates to a complaint filed in 2020 with the French data protection authority (CNIL) against Doctissimo, a popular French health site. In May 2023, the CNIL found a number of breaches of GDPR, and imposed a €380,000 fine on the company.
Commission nationale de l’informatique et des libertés (CNIL)
On 26 June 2020, Privacy International (PI) filed a complaint against the French health website Doctissimo with the French data protection authority (CNIL).
Given that health websites can reveal such sensitive data about us, we would expect them to be 100% transparent about what happens to our data and give us a genuine choice as to whether our data is collected, used and shared. Unfortunately, that's not always the case.
The complaint follows a report PI published in September 2019. The report highlighted how numerous mental health websites engage in programmatic advertising, a type of advertising that relies on sharing our personal data with hundreds if not thousands of companies to eventually serve us targeted ads. It also exposed how a small number of websites offering depression tests share your answers directly with third parties. Doctissimo, a French health information website, was among those.
In February 2020, we followed up on our initial research and carried out a second analysis. That analysis showed that, among others, Doctissimo was still sharing data with third-parties for marketing purposes.
In our complaint dated 26 June 2020 we argue that Doctissimo:
• Has no lawful basis for the processing of personal data, as the requirements for valid consent are not met. Consent is Doctissimo’s stated basis for processing and the only available legal basis given the nature of the processing involved. Doctissimo also fails to obtain explicit consent in the case of special category personal data;
• Does not comply with the Data Protection Principles enshrined in GDPR, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and integrity and confidentiality;
• Does not comply with its obligations under Article 25 (Data Protection by Design and by Default) of the GDPR and Article 32 (Security of Processing) of the GDPR;
• Should be further investigated as to compliance with the rights, obligations and safeguards in GDPR;
PI therefore calls on the CNIL to investigate the practices detailed in our complaint and take appropriate and timely enforcement action in order to protect individuals from wide-scale infringements of the law.
On 17 May 2023, the CNIL fined Doctissimo €380,000 "because it failed to comply with obligations under the GDPR, in particular obtaining consent of individuals to the collection and use of their health data, and because it didn't comply with the rules on cookies." Despite the amount of the fine being relatively small compared to the company’s annual revenue, the legal conclusions are unequivocal - the amount of the fine partly reflects the fact that Doctissimo cooperated with the CNIL investigation and took corrective measures.