The health website Doctissimo has been fined €380,000 for breaches of personal data, the French digital rights watchdog CNIL has said.
Owned by the Reworld Media group, the website has been ordered to pay €280,000 under the European Data Protection Regulation (RGPD) for personal and health data kept without time limits and collected without consent, CNIL said in a statement.
It must also pay a fine of €100,000 for violations relating to cookies.
The sanction follows a complaint filed in June 2020 by UK body Privacy International.
The CNIL found that data relating to tests and quizzes carried out on the site were kept for too long, initially for 24 months.
No consent
It also criticised Doctissimo for having collected health data from around 5 percent of these tests without consent, even though this information is considered "particularly sensitive".
The CNIL noted a lack of security for personal data, with the use of an unencrypted communication protocol, and the storage of passwords in "an insufficiently secure format".
ℹ️🔴 The CNIL fined DOCTISSIMO EUR 380,000 because it failed to comply with obligations under the #GDPR and because it didn't comply with the rules on #cookies 👉 https://t.co/1RZpvPWHpl pic.twitter.com/nJ3oF1PwOo
— CNIL_en (@CNIL_en) May 17, 2023
According to the authority, this failure to obtain consent affected every visitor to the site, or "hundreds of millions of Internet users".
(with wires)