The Cost of a Click: Microsoft fined 60 Million Euros by French Privacy Watchdog for French Data Protection Act Violations

Ballard Spahr LLP
Contact

Ballard Spahr LLP

On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any subscriber or user of an electronic communications service be informed in a clear and complete manner by the website operator of two things: (1) The purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment (aka, in part, “cookies”); and (2)The means at the user’s disposal to oppose it.

In response to consumer complaints, CNIL conducted investigations which concluded that when users visited “bing.com” in 2020 and 2021, cookies were deposited on their terminal without their consent, and that the cookies were then used by Microsoft for advertising purposes. Additionally, the CNIL alleged that Microsoft failed to provide a compliant means of refusing cookies. While Microsoft provide a button for users to accept cookies, it did not offer an equivalent solution to allow the Internet user to refuse cookies just as easily. The CNIL found that two clicks were needed to refuse all cookies, while only one was needed to accept them. In its press release, the CNIL noted that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button in the first window. [CNIL] considered that such a procedure infringed the freedom of consent of Internet users.”

This “equivalent solution” interpretation was at the heart of a fines levied by CNIL on Facebook and Google earlier this year, and is based upon the CNIL’s 2019 guidance that consent for cookies must be “freely given.” These fines are a reflection of the CNIL’s position that making it more difficult to refuse cookies than to accept them ‘nudges’ the user toward acceptance, and therefore is not considered to be freely given consent. In the case of Microsoft, even a single additional click was enough to trigger a violation, however, the CNIL noted that this issue was eventually rectified by the implementation of a “Refuse All” button on March 29, 2022.

In settling on a 60 million euro fine, the CNIL states it reviewed the scope of the processing, the number of data subjects, and the profits the company made from advertising profits indirectly generated from the data collected via cookies. In addition to the administrative fine, Microsoft was ordered to become compliant with Article 82 within three months, otherwise the company may be required to pay a penalty of 60,000 euros per day thereafter.

The CNIL action is a reminder that analytical tools remain in the crosshairs, and companies should carefully weigh the risks and value when setting up their consent and notice mechanisms.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide