The French authority imposed a 60 million euro fine on Microsoft Ireland Operations Limited for failing to implement a mechanism to reject cookies as easily as accepting them. Furthermore, it was found that when a user visited the website, cookies were deposited on his terminal without consent and used for advertising purposes.
The extent of the processing justified the amount, the number of people affected and the profits the company made from advertising revenue generated indirectly from the data collected by the cookies. In addition to the administrative fine, an injunction was also issued to force the company to obtain the consent of the data subjects within three months, failing which the company will be required to pay the penalty for each day of delay.
Background information
The CNIL conducted multiple investigations on the website between September 2020 and May 2021 as a result of a complaint regarding the terms for depositing cookies on “bing.com.”
It was discovered that visitors who visited this site had cookies installed on their computers without their knowledge and that these cookies were used, among other things, for advertising. Additionally, it noticed that there was no button that made it as simple to reject the cookie deposit as it was to accept it.
As a result, Microsoft Ireland Operations Limited was fined €60 million by the restricted committee, the CNIL body in charge of imposing sanctions.
The extent of the processing, the number of data subjects, and the profits the business made from advertising profits indirectly produced by the data obtained via cookies were used to validate this figure.
The corporation must obtain the consent of people residing in France on the website “bing.com” within three months of putting cookies and tracers with advertising purposes on their device, according to a restricted committee order that was issued in addition to the administrative punishment. In any other case, the business risks paying a fine of 60,000 euros per day that it is overdue.
CNIL
The CNIL has the necessary authority to investigate and sanction activities involving cookies that the corporation has placed on the computers of French Internet users. Since the activities associated with the use of cookies fall under the jurisdiction of the “ePrivacy” directive, as implemented in Article 82 of the French Data Protection Act, the GDPR’s “one-stop shop” mechanism is not intended to apply to these procedures.
Click here for the official notice from CNIL.