France Fined Microsoft Over 60 Million Euros for Using Advertisement Cookies Without Consent

The French privacy regulator announced on Thursday that it had penalized Microsoft, a major US technology company, 60 million euros ($64 million) for forcing advertising cookies on customers.

The National Commission for Technology and Freedoms (CNIL), which levied the biggest fine in 2022, claimed that Microsoft’s search engine Bing did not have a system in place that allowed users to refuse cookies as easily as accept them.

“On 19 December 2022, the CNIL’s restricted formation sanctioned MICROSOFT IRELAND OPERATIONS LIMITED to the tune of €60 million, in particular for not having put in place a mechanism to refuse cookies as easily as accepting them”, according to CNIL.

CNIL Conducted a Number of Inspections

The CNIL carried out several checks on the website regarding the terms for the deposit of cookies on “bing.com.”

It was discovered that when a user went to that site, cookies were secretly installed on his computer while they, among other things, sought an advertising goal. It also mentioned the absence of a button that would make rejecting the deposit of cookies as simple as accepting it.

It was found that when a user visited the “bing.com” search engine, a cookie was immediately and without his consent placed on his terminal with multiple goals in mind, including preventing advertising fraud.

A cookie for advertising purposes was placed on his computer when he continued to use the search engine, always without first obtaining his permission.

Further, two clicks were required to refuse all cookies, and only one to accept them. It considered that such a procedure infringed the freedom of permission of internet users.

Therefore, according to the legislation, this kind of cookie can only be placed with the user’s permission.

France Fines Microsoft 60 Million Euros

Hence, the company MICROSOFT IRELAND OPERATIONS LIMITED was fined 60 million euros by the restricted formation, the CNIL body in charge of issuing sanctions, and this decision was made public.

This sum was justified by the extent of the processing, the number of data subjects, and the profits the business makes from advertising income derived in part from cookie-collected data.

The report states that the restricted formation also approved a penalty-based injunction requiring the company to obtain the consent of persons residing in France before depositing cookies and tracers on their terminals on the website “bing.com” within three months.

In any other case, the business will be required to pay a fine of 60,000 euros for each day of delay.

“The cooperation mechanism provided for by the GDPR (“one-stop shop” mechanism) is not intended to apply in these procedures insofar as operations related to the use of cookies fall under the “ePrivacy” directive, transposed to Article 82 of the Data Protection Act”, CNIL

Because the usage of cookies is done in the “context of the activities” of the company MICROSOFT FRANCE, which is the “establishment” of the MICROSOFT group on French territory, the restricted formation believed that the CNIL also has territorial jurisdiction.

Managed DDoS Attack Protection for Applications – Download Free Guide