The French data privacy regulator (CNIL) has fined Microsoft €60 million for breaching the General Data Protection Regulation (GDPR) in relation to its management of cookies on its Bing search engine. The body considers that the technology giant has been automatically installing two files of this type for advertising purposes without the user’s permission and also hindered the ability to reject those that were subject to the browser’s criteria. Specifically, the first action was resolved with a click of a button, while the second required two clicks.
On the first issue, CNIL demands that the user be consulted on the installation of these two cookies like the rest, since their usefulness in checking for fraudulent ad views is not necessary for the search engine to do its job. This is something that Microsoft does not share because “they should not require consent from those who intend to defraud others”, in the words of a spokesperson. The company has not yet decided whether it will appeal that part of the decision.
That is in principle the only problematic aspect of the French regulator’s demands for the company, which earlier this year had included a button to reject cookies next to the one that already existed to accept them. This explains why Microsoft responded in a statement that it had made “key changes” to its practices “even before this investigation had begun”.
CNIL has been particularly concerned about the asymmetry in the effort to accept and reject cookies by the user, in application of the provisions of the GDPR since 2018. In fact, this year it has already fined Google 150 million euros and Meta another 60 million euros for this reason, and both now display a specific button that allows browsers to reject files whose download is not essential to ensure the proper functioning of the website.
The data protection authority (CNIL) requires the company to ask its users about the installation of files related to the auditing of ad impressions.
The amount of the fine is derived in part from the revenue that CNIL estimates Microsoft would have earned from these practices up to March. The company’s European subsidiary, based in Ireland, now has three months to change these policies or face possible fines of 60,000 euros per extra day of non-compliance.