The CNIL has just imposed a fine of 60 million euros on Microsoft for its poor management of cookies on its Bing search engine, thus authorizing advertising tracking without the consent of users. And bang!
Clearly, the National Commission for Computing and Liberties (the CNIL) is in great shape right now! After pinning Discord about the personal data of its users and inflicting a heavy fine on Free for having recycled Freeboxes still containing data from former users, the digital policeman is pulling Microsoft’s ears this time. In a decision made public on December 22, 2022, the commission revealed that it had looked into the case of the Bing search engine in September 2020 and May 2021, following a complaint. In particular, the CNIL discovered that advertising cookies were placed on users’ terminals without their consent and that the button to refuse this deposit was less accessible than the one to accept it. Because of this, the company is in violation of the General Data Protection Regulation (GDPR), and more specifically article 82 of the Data Protection Act. The CNIL has therefore decided to condemn Microsoft, and more specifically Microsoft Ireland Operations Limited – its subsidiary responsible in Europe for the management of the Bing search engine – to pay a fine fine of 60 million euros. A Christmas present that the firm would certainly have done without!
CNIL fine for Microsoft: cookies difficult to refuse
Two problems have been noted by the CNIL. At first, “she found that when a user visited this site, cookies were placed on his terminal without his consent while they were pursuing, in particular, an advertising objective. It also penalizes the fact that the button for refusing cookies is more difficult to access than the button for accepting them. “If the search engine offered a button to immediately accept cookies, it did not offer an equivalent solution (refusal button or other) to allow the user to refuse them so easily. Two clicks were necessary to refuse all cookies, only one to accept them“. A maneuver aimed at discouraging users from refusing cookies and encouraging them to take the easy way out by clicking on the consent button appearing in the first window. However, this process infringes the freedom of consent of Internet users.
If Microsoft did set up a “Refuse all” button on March 29, 2022, the CNIL still decided to impose a fine of 60 million euros on it, an amount justified “by the scope of the processing, by the number of data subjects and by the benefits that the company derives from the advertising revenue indirectly generated from the data collected by the cookies.” Indeed, the business of advertising cookies brings in a lot of money, and Microsoft is the world number two in research with tens of millions of users, even if Google is far ahead. The firm now has three months to set up a clearer consent system for depositing cookies, otherwise it will be liable to a penalty of 60,000 euros per day of delay.