The French regulator CNIL has imposed a fine of no less than EUR 60 million on Microsoft Ireland Operations Ltd (MIOL). On bing.com, the Microsoft search operated in Europe by MIOL, non-essential cookies had been set without first obtaining effective consent from users.
Initially, as in the Google case at the time, the CNIL considered itself to be not incompetentbecause, unlike the GDPR, there is no one-stop store for breaches of the e‑Privacy Directive. The local jurisdiction the CNIL further followed from Microsoft’s subsidiary in France, Microsoft’s French subsidiary, because the operation of Bing were inextricably linked to the activities of Microsoft France (similar to the Google Spain decision of the ECJ and a recent decision of the French Conseil d’Etat regarding Amazon).
In the case, the CNIL found that Microsoft had posted on Bing.com, prior to user consent, a multifunctional cookie set. Certain purposes were subsequently determined or excluded by user consents – without consent, the cookie served only for anti-fraud purposes, IT security and the fight against false information, among others.
According to CNIL, a multifunctional cookie may Without consent be set when it at least one necessary purpose (and is not used for other purposes without consent). The CNIL did not consider this to be fulfilled in the present case. The fight against fraud in the context of advertising was also not such a purpose, because it served the advertising business and not directly the operation of the search engine.
What the Consent requirements it must be just as easy to refuse consent as to give it; otherwise there is no real choice. The revocation of consent must also be as simple as its expression. Microsoft had violated this, because next to the button for consent to all cookies, a corresponding button “reject all” or similar was missing; a rejection required at least two clicks (“Settings”, “Save”). The term “settings” was also ambiguous. The user could then also use the website without interacting with the cookie banner; then no cookie was set; however, this could only be considered a simple objection option if the user had been informed accordingly and transparently. This was not the case, however, which is why the “Accept” button remained the simplest option for the user.