CNIL’s Restricted Committee sanctioned Microsoft Ireland after receiving a complaint relating to the conditions for the deposit of cookies on Microsoft’s search engine bing.com.
The data privacy ragulator in a statement said that It “found that when a user visited this site, cookies were placed on their terminal without their consent, while they were pursuing, in particular, an advertising objective.” CNIL also noticed the absence of a button allowing them to refuse the deposit of cookies as easily as to accept it.
The Restricted Committee justified the fine amount by the scope of the processing, the number of data subjects, and the benefits that the company derives from the advertising revenue indirectly generated from the data collected by the cookies.
CNIL also said “In addition to the administrative fine, the Restricted Committee also adopted an injunction subject to a penalty order requiring the company to collect on the “bing.com” website, within three months, the consent of persons residing in France before filing on their terminal cookies and trackers for advertising purposes. Otherwise, the company will be liable to pay a penalty payment of 60,000 euros per day of delay.”
France’s data privacy regulator found bing.com in breach of Article 82 of France’s Data Protection Act. It said that when a user went to the “bing.com” search engine, a cookie serving several purposes, including the fight against advertising fraud, was automatically placed on his terminal without action on his part. This was done without his consent having been obtained. CNIL noted that the law requires that this type of cookie be placed only after the user’s consent.
CNIL’s Restricted Committee noted that making the refusal mechanism more complex amounts, to discourage users from refusing cookies and encourages them to favor the ease of the consent button appearing in the first window. It considered that such a process violated the freedom of consent of Internet users.