| Official comms from the CNIL who issued the fine (French link) : https://www.cnil.fr/fr/cookies-sanction-de-60-millions-deuro... Translated using ChatGPT :
On December 19, 2022, the restricted training of the CNIL (French National Commission on Informatics and Liberty) fined Microsoft Ireland Operations Limited 60 million euros, particularly for not having set up a mechanism allowing cookies to be refused as easily as they are accepted. The context
Following a complaint regarding the conditions for depositing cookies on "bing.com," the CNIL conducted several checks on the website in September 2020 and May 2021. It found that when a user visited the site, cookies were deposited on their terminal without their consent, and that these cookies were used for, among other things, advertising purposes. It also found that there was no button allowing cookies to be refused as easily as they were accepted. As a result, the restricted training, a body of the CNIL responsible for imposing sanctions, fined Microsoft Ireland Operations Limited 60 million euros, which was made public. It justified this amount by the scope of the processing, the number of people affected, and the benefits that the company derives from the advertising revenue indirectly generated from the data collected by the cookies. In addition to the administrative fine, the restricted training also issued an injunction with a penalty clause requiring the company to obtain consent from French residents on the "bing.com" website before depositing cookies and trackers with an advertising purpose on their terminals. If it fails to do so, the company will be subject to a penalty of 60,000 euros per day of delay. Violations of the Data Protection Act
The restricted training identified violations of Article 82 of the Data Protection Act. Depositing cookies without prior consent from the user
When a user visited the "bing.com" search engine, a cookie with several purposes, including combating fraudulent advertising, was automatically deposited on their terminal without any action on their part. Furthermore, when the user continued to navigate the search engine, a cookie with an advertising purpose was deposited on their terminal, again without their consent being obtained. However, the law requires that this type of cookie can only be deposited after the user has given their consent. The absence of a compliant means of obtaining consent for the deposit of cookies
While the search engine provided a button allowing cookies to be immediately accepted, it did not offer an equivalent solution (a refusal button or the like) to allow internet users to refuse them as easily. It took two clicks to refuse all cookies and just one to accept them. The restricted training found that making the refusal mechanism more complex effectively discourages users from refusing cookies and encourages them to choose the ease of the acceptance button. As such, the company did not have a compliant mechanism for obtaining consent for the deposit of cookies. |