On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any subscriber or user of an electronic communications service be informed in a clear and complete manner by the website operator of two things: (1) The purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment (aka, in part, “cookies”); and (2)The means at the user’s disposal to oppose it.
In response to consumer complaints, CNIL conducted investigations which concluded that when users visited “bing.com” in 2020 and 2021, cookies were deposited on their terminal without their consent, and that the cookies were then used by Microsoft for advertising purposes. Additionally, the CNIL alleged that Microsoft failed to provide a compliant means of refusing cookies. While Microsoft provide a button for users to accept cookies, it did not offer an equivalent solution to allow the Internet user to refuse cookies just as easily. The CNIL found that two clicks were needed to refuse all cookies, while only one was needed to accept them. In its press release, the CNIL noted that “making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button in the first window. [CNIL] considered that such a procedure infringed the freedom of consent of Internet users.”
This “equivalent solution” interpretation was at the heart of a fines levied by CNIL on Facebook and Google earlier this year, and is based upon the CNIL’s 2019 guidance that consent for cookies must be “freely given.” These fines are a reflection of the CNIL’s position that making it more difficult to refuse cookies than to accept them ‘nudges’ the user toward acceptance, and therefore is not considered to be freely given consent. In the case of Microsoft, even a single additional click was enough to trigger a violation, however, the CNIL noted that this issue was eventually rectified by the implementation of a “Refuse All” button on March 29, 2022.
In settling on a 60 million euro fine, the CNIL states it reviewed the scope of the processing, the number of data subjects, and the profits the company made from advertising profits indirectly generated from the data collected via cookies. In addition to the administrative fine, Microsoft was ordered to become compliant with Article 82 within three months, otherwise the company may be required to pay a penalty of 60,000 euros per day thereafter.
The CNIL action is a reminder that analytical tools remain in the crosshairs, and companies should carefully weigh the risks and value when setting up their consent and notice mechanisms.