Yesterday we attended a hearing at the CNIL (the French data protection authority) following our 2020 complaint against @doctissimo, a major French health and wellness information website. Some spicy details, including a proposed €380,000 fine...

Thread 👇

@doctissimo The CNIL rapporteure focused on 5 points: data retention, consent, joint controllership, security and cookies - it found that Doctissimo failed on all of them when collecting and sharing the sensitive data of thousands of people.

@doctissimo Through the 684 (!) health & wellness online self-tests that Doctissimo offers, the company reached 584,000 people.

Doctissimo said only 5% of those tests collected health data, meaning 30,000 people had their data unlawfully processed.

@doctissimo Qualifio, a third party company contracted by Doctissimo to run its online self-test forms, had access to the IP addresses of Doctissimo users, which Doctissimo failed to notice despite being provided with regular reports.

@doctissimo This means Qualifio could use this data to identify users, for example for advertising purposes - and to cross the data obtained through Doctissimo with data obtained from other clients.

@doctissimo Data was shared with third parties without any encryption (using HTTP) until October 2019, meaning that until then thousands of people's health data could have been intercepted by malicious actors.

@doctissimo The rapporteure found that despite implementing a consent mechanism after our investigation, Doctissimo still placed cookies on people's browsers even if they'd declined.

At the time of our investigation, Doctissimo was liberally sharing people's health data with 557 partners.

@doctissimo Through it all, Doctissimo's lawyers argued that all of this wasn't a big deal. Failing to protect the health data of 30,000 people isn't a big deal? We disagree.

@doctissimo Read our original complaint here and stay tuned for updates!

privacyinternational.org/legal-action/c…