Cookie consent: Microsoft must pay 60 million euros in France

The French data protection authority CNIL has fined Microsoft for not providing a simple option to reject cookies when searching with Bing.

Microsoft is to pay a fine of 60 million euros in France for cumbersome cookie settings and the setting of such browser files via the Bing search engine website without the required consent of users. The French data protection authority CNIL published a corresponding decision on Dec. 19 on Thursday. It justifies the amount of the fine with the extent of the data processing that took place and the number of people affected.

The supervisory authority also factored in profits that the U.S. company with its European headquarters in Ireland had made from advertising revenue. According to its own information, the CNIL only took into account income that is indirectly based on data that Microsoft has collected with the help of cookies.

Cookie: Checks by the data protection authorities

Prior to this, the data protection authorities carried out checks on bing.com in September 2020 and May 2021, and found that cookies were being placed on users’ devices without their consent, even though they were used for advertising purposes, among other things. There had been no button with which visitors could have “just as easily rejected as accepted” the setting of the browser files. To reject all cookies via the banner, two clicks were required; to accept them, only one. This complicated rejection mechanism, according to the auditors, led users to prefer the consent button in the first window for convenience.

In addition to the fine, the CNIL also issued an order requiring the company to obtain consent from people visiting the search engine from France on bing.com within three months before placing cookies on their terminal for advertising purposes and using trackers. If this requirement is implemented late, Microsoft faces a penalty payment of 60,000 euros per day. The authority points out that the conditions for obtaining user consent have long been illegal. It was only on March 29, 2022, that the corporation introduced a “Decline All” button, it said.

The CNIL did not impose the sanction on the basis of the General Data Protection Regulation (GDPR). It was based on Article 82 of the national law on information technology and freedoms, with which the French legislature had implemented the EU’s 2002 e-privacy directive. The French controllers thus did not have to refer the case to the Irish data protection authority DPC, which has lead jurisdiction over Microsoft under the GDPR. The CNIL previously imposed a fine of 100 million euros on Google for similar reasons, which the Conseil d’Etat finally confirmed in January. Facebook has also already had to pay 60 million in France because of opt-in problems.