Microsoft was recently hit with a fine of 60 million euros from CNIL of France for various cookie consent violations.
Following several investigations into the company regarding cookies deposited via bing.com, CNIL has imposed a fine of €60 million on Microsoft. The investigations were spurred by complaints about the conditions for depositing cookies on the website. It was found that users were having cookies deposited on their devices without their consent when visiting the site. In addition CNIL found the refusal of cookies was not designed to be as easy as the acceptance of cookies on the website. These cookies were also being used for advertising, among other purposes. As a result, in addition to the €60 million fine, CNIL also ordered the company to begin collecting the consent of individuals residing in France within three months, or risk a €60,000 per day fine if overdue.
CNIL’s investigation into the website revealed several breaches of Article 82 of the French Data Protection Act
The investigation into the cookie consent practices on bing.com revealed that when users visited bing.com, several cookies were automatically deposited onto their terminal device. These cookies included an initial anti-fraud cookie deposit, followed by additional cookies for advertising purposes as the user continued browsing the search engine. Under the French Data Protection Act, these cookies are only to be deposited after obtaining valid user consent. The search engine offered a button to accept cookies immediately, however refusing cookies was not made as easy. Two clicks were needed to refuse all cookies, while only one was needed to accept them. The CNIL concluded this to be a breach of the law, as the means of collecting consent made the refusal mechanism more complex than that for acceptance, thereby discouraging users from refusing consent.
Any non-compliant operations involving the deposit of cookies onto terminals of internet users in France can face sanctions from CNIL.
Apart from CNIL being territorially competent to investigate and sanction these activities due to the fact that the use of these cookies falls within the framework of the activities of Microsoft France, the Authority is also able to verify and sanction operations relating to the deposit of cookies on terminal devices of any internet users located in France. Microsoft France is an establishment of the Microsoft group within France, making CNIL territorially competent, however CNIL is also materially competent to sanction any operation involving the deposit of cookies on terminal devices of end users in French territory under Article 82 of the French Data Protection Act.