Cookies: MICROSOFT IRELAND OPERATIONS LIMITED fined 60 million euros

22 December 2022

On 19th December 2022, the CNIL imposed a penalty of 60 million euros on MICROSOFT IRELAND OPERATIONS LIMITED, in particular for not allowing the users to refuse cookies as easily as accepting them.

Backgroud information

Following a complaint about the conditions for depositing cookies on "bing.com", the CNIL carried out several investigations on the website in September 2020 and May 2021.

It found that when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes. It also observed that there was no button allowing to refuse the deposit of cookies as easily as accepting it.

As a result, the restricted committee, the CNIL body responsible for issuing sanctions, fined MICROSOFT IRELAND OPERATIONS LIMITED €60 million, which was made public.

It justified this amount by the scope of the processing, the number of data subjects and the profits the company made from advertising profits indirectly generated from the data collected via cookies.

In addition to the administrative fine, the restricted committee also issued an order with periodic penalty payment requiring that the company collects, on the website "bing.com", the consent of individuals residing in France, within three months, before depositing cookies and tracers with advertising purposes on their terminal. Otherwise, the company may pay a penalty of 60,000 euros per day overdue.

Breaches of the French Data Protection Act

The restricted committee found breaches of Article 82 of the French Data Protection Act.

The deposit of cookies without prior consent of the user

When users visited the search engine "bing.com", a cookie with several purposes, including the fight against advertising fraud, was automatically deposited on their terminal without any action on their part.

Furthermore, when they kept browsing the search engine, a cookie with an advertising purpose was placed on their terminal, again without their consent being collected.

However, the law requires that this type of cookies be deposited only after the users have expressed their consent.

The absence of a compliant means of collecting consent for the deposit of cookies

While the search engine offered a button to accept cookies immediately, it did not offer an equivalent solution (button to refuse or other) to allow the Internet user to refuse them as easily. Two clicks were needed to refuse all cookies, while only one was needed to accept them.

The restricted committee noted that making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button in the first window. It considered that such a procedure infringed the freedom of consent of Internet users.

The restricted committee concluded that the conditions for obtaining consent that were offered to users until the introduction of a "Refuse All" button on 29 March 2022, constituted a breach of the law.

Jurisdiction of the CNIL

The CNIL is materially competent to verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR (the “one-stop shop” mechanism) is not intended to apply in these procedures insofar as the operations linked to the use of cookies fall within the scope of the " ePrivacy " directive, transposed in Article 82 of the French Data Protection Act. 

The restricted committee considered that the CNIL is also territorially competent because the use of cookies is carried out within the "framework of the activities" of the company MICROSOFT FRANCE, which constitutes the "establishment" on French territory of the MICROSOFT group.

Note: MICROSOFT IRELAND OPERATIONS LIMITED, whose head office is in Ireland, presents itself as the controller of the "bing.com" search engine in the European region. MICROSOFT FRANCE is the establishment in France of the Microsoft group.