For having twice violated Article 82 of the Data Protection Act, Microsoft is fined 60 million euros by the CNIL. The beginning of the case goes back to 2020…
Following a complaint regarding the conditions for depositing cookies on “bing.com”, checks were carried out between September 2020 and May 2021 by the CNIL. This is how she could see non-compliance with the rules for cookies.
In fact, the CNIL condemned the American giant for the absence of a button to reject cookies on the search engine when there is one that can easily accept them. But it also revealed two other cookies that were installed without the user’s prior consent. These were for advertising purposes.
This is the largest fine imposed by the CNIL during this year 2022. The American group was sanctioned by the French authority despite the fact that since last year it has announced a major campaign of verifications of rules for cookies. The size of the fine is based on the scope of the processing, the number of registered users and the profit that the company obtains from the advertising revenue indirectly generated from the data collected by cookies.
Microsoft has 3 months to change this practice for people living in France. After this period, each day of delay will cost him 60,000 euros.
Google and Facebook already punished
For similar breaches, these two companies had already been sentenced at the end of 2021. Facebook had been fined 60 million euros and Google 50 million. However, the latter had already had a sanction at the end of 2020. Amazon, for its part, had been sanctioned at the end of 2020 for a lack of information to users.
Violations of the Data Protection Act
As set out in Article 82 of the Data Protection Act, the law requires cookies to be placed only with the consent of the user, which was not done in this case. In addition, it must be possible to reject cookies as simply as to accept them. Here, a button to accept cookies with one click was present, while it took two clicks to reject them all. That fact, doubling the act to reject, the CNIL believed that this violated the freedom of consent of Internet users.
As a reminder, the CNIL is recognized as substantively competent to control and sanction all actions related to cookies by internet users in France.