France’s digital privacy regulator, the Commission nationale de l’informatique et des libertés (CNIL), announced on December 22, 2022 it had fined US tech giant Microsoft €60m ($64m), its largest this year, over advertising cookies.
The CNIL found that Microsoft’s search engine, Bing, had not set up a system allowing users to refuse cookies as simply as accepting them – a requirement under the EU’s general data protection regulation (GDPR).
The regulator also said that, after investigation, it found that “when users visited [Bing], cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes.” Bing offered a button for the user to immediately accept all cookies, but two clicks were need to refuse them, it said.
The fine was justified partly because of the money the company made from advertising profits indirectly generated from the data collected via cookies, the CNIL added.
The company has been given three months to rectify the issue, with a potential further penalty of €60,000 ($64,000) per day overdue.
The fine was issued to Microsoft Ireland, where the company has its European base.
In a statement, Microsoft said that it had “introduced key changes to our cookie practices even before this investigation started.”
“We continue to respectfully be concerned with the CNIL’s position on advertising fraud,” it said, adding that it believes the French watchdog’s “position will harm French individuals and businesses.”
Google and Facebook were sanctioned by the CNIL in 2021 with fines of €150m and €60m respectively ($159m and $64m) for similar breaches of the GDPR.