CNIL: fine of EUR 60 M against Micro­soft for coo­kies wit­hout effec­ti­ve consent

The French regu­la­tor CNIL has impo­sed a fine of no less than EUR 60 mil­li­on on Micro­soft Ire­land Ope­ra­ti­ons Ltd (MIOL). On bing.com, the Micro­soft search ope­ra­ted in Euro­pe by MIOL, non-essen­ti­al coo­kies had been set wit­hout first obtai­ning effec­ti­ve con­sent from users.

Initi­al­ly, as in the Goog­le case at the time, the CNIL con­side­red its­elf to be not incom­pe­tentbecau­se, unli­ke the GDPR, the­re is no one-stop store for brea­ches of the e‑Privacy Direc­ti­ve. The local juris­dic­tion the CNIL fur­ther fol­lo­wed from Microsoft’s sub­si­dia­ry in France, Microsoft’s French sub­si­dia­ry, becau­se the ope­ra­ti­on of Bing were inex­tri­ca­bly lin­ked to the acti­vi­ties of Micro­soft France (simi­lar to the Goog­le Spain decis­i­on of the ECJ and a recent decis­i­on of the French Con­seil d’E­tat regar­ding Ama­zon).

In the case, the CNIL found that Micro­soft had posted on Bing.com, pri­or to user con­sent, a mul­ti­func­tion­al coo­kie set. Cer­tain pur­po­ses were sub­se­quent­ly deter­mi­ned or exclu­ded by user cons­ents – wit­hout con­sent, the coo­kie ser­ved only for anti-fraud pur­po­ses, IT secu­ri­ty and the fight against fal­se infor­ma­ti­on, among others.

Accor­ding to CNIL, a mul­ti­func­tion­al coo­kie may Wit­hout con­sent be set when it at least one neces­sa­ry pur­po­se (and is not used for other pur­po­ses wit­hout con­sent). The CNIL did not con­sider this to be ful­fil­led in the pre­sent case. The fight against fraud in the con­text of adver­ti­sing was also not such a pur­po­se, becau­se it ser­ved the adver­ti­sing busi­ness and not direct­ly the ope­ra­ti­on of the search engine.

What the Con­sent requi­re­ments it must be just as easy to refu­se con­sent as to give it; other­wi­se the­re is no real choice. The revo­ca­ti­on of con­sent must also be as simp­le as its expres­si­on. Micro­soft had vio­la­ted this, becau­se next to the but­ton for con­sent to all coo­kies, a cor­re­spon­ding but­ton “reject all” or simi­lar was miss­ing; a rejec­tion requi­red at least two clicks (“Set­tings”, “Save”). The term “set­tings” was also ambi­guous. The user could then also use the web­site wit­hout inter­ac­ting with the coo­kie ban­ner; then no coo­kie was set; howe­ver, this could only be con­side­red a simp­le objec­tion opti­on if the user had been infor­med accor­din­gly and trans­par­ent­ly. This was not the case, howe­ver, which is why the “Accept” but­ton remain­ed the simp­lest opti­on for the user.