French Data Protection Authority Fines Microsoft Ireland €60 Million for Unlawful Use of Cookies
The French Data Protection Agency, the Commission nationale de l’informatique et des libertés (CNIL), recently announced that Microsoft Ireland has been found to be in violation of the EU’s General Data Protection Regulation (GDPR) with respect to the downloading of cookies onto the devices of users of the Bing search engine. CNIL has fined Microsoft Ireland €60 million ($64 million) for the GDPR violations.
Cookies are text files that are created by a web server and are downloaded onto users’ devices. The files serve various purposes, such as tracking web browsing activity on a website, authentication to confirm that a user has logged in, and tracking users as they traverse the internet for advertising purposes. Some cookies are essential to the functioning of a website, such as those used for authentication, whereas others, such as advertising cookies, are non-essential. Under the GDPR, websites that can be accessed by citizens of the European Union are required to obtain informed content from users before downloading non-essential cookies, and if consent is not provided those cookies cannot be legally downloaded.
When users visited the Bing website (bing.com), one cookie was downloaded onto their devices that served several purposes, including combating advertising fraud, with a second cookie deposited onto users’ devices for advertising purposes. Microsoft Ireland was found not to have obtained consent from users to download these cookies. Further, when the consent banner was displayed advising users that cookies were used by the website, users could accept the cookies with a single click, whereas rejecting the cookies required two clicks. CNIL determined that making the process of refusing cookies more complex amounted to discouraging users from rejecting the cookies, which it determined violated the freedom of consent of Internet users.
Microsoft Ireland implemented a new “refuse all” button on Bing.com on March 29, 2022, which resolved all of the issues; however, prior to that date, Microsoft Ireland was in violation of the GDPR. Microsoft has also been given three months to obtain the required consent from French users of the website before it will be permitted from deploying advertising cookies again, with any further non-compliance carrying a penalty of €60,000 per day.
Under the one-stop-shop mechanism of the GDPR, the enforcement of compliance falls on the country in which a company has its EU base, which for Microsoft Ireland is naturally Ireland. CNIL said the one-stop-shop mechanism of the GDPR was not intended to apply regarding the use of cookies, which falls under the ePrivacy directive of the GDPR, and that the use of cookies is carried out within the framework of consent used by Microsoft France, therefore CNIL has the authority to enforce compliance.
This is not the first such fine to be imposed by CNIL over the unlawful use of cookies. In 2021, CNIL fined Google €150 million and Facebook €60 million for making it difficult for users to opt-out of online tracking through the use of cookies.
