Regulatory action involving targeted advertising is usually directed at Facebook and Google, but Microsoft is now facing scrutiny as France’s lead privacy regulator CNIL has issued it a €60 million fine over insufficiently transparent cookie consent policies.
The regulator determined that the company’s Bing search engine does not provide users with clear enough instruction for opting out of its tracking cookie system, which is used to feed personalized ads. Microsoft has additionally been given three months to get the system into compliance, or it could face additional fines of €60,000 per day.
Bing cookie consent process found too opaque, requires too many clicks
CNIL cited several cookie consent issues with Bing, but the one it emphasized the most was that it was easier to accept cookies than to refuse them. Microsoft was found to be in violation of Article 82 of the French Data Protection Act, allowing the regulator to make a direct move even though the company’s regional headquarters are in Ireland. However, the General Data Protection Regulation (GDPR) also has a stipulation of this nature, requiring that tracking cookies must be as easy to reject as they are to accept.
The cookie consent fine stemmed from a complaint filed with the regulator in 2020, which resulted in an investigation spanning from September of that year to May 2021. CNIL said that the large fine amount was based on the number of data subjects thought to be impacted and the amount of profit Microsoft made from the system.
CNIL also noted that another type of cookie, one designed to combat ad fraud, was deposited on user devices without their knowledge or consent when they visited the Bing website. Though this was not explicitly used to deliver targeted ads, its scope of purpose nevertheless required that prior consent be collected under France’s regulations.
The ad tracking cookie was placed after users began entering search terms. A cookie consent notification was present, but required two clicks to refuse all tracking cookies; accepting them all required just one click. Acceptance was also collected via a very prominent button that was immediately available, and CNIL noted there was no such equivalent simplified button present for refusal. Bing has since added a refusal button of this sort as of March 2022.
Cookie consent issues subject to direct action under terms of ePrivacy Directive
The ePrivacy Directive pre-dates the GDPR by over a decade, and was the bloc’s first regulation expressly addressing tracking cookies. It now generally serves as a supplement to the GDPR, but takes precedence over it in some cases. If a nation has its own sovereign data privacy law that incorporates it, as France does, it can be used to “shortcut” the GDPR in cases in which the data privacy of citizens is impacted by a company based elsewhere in the bloc.
This keeps cookie consent cases from entering the GDPR process, which would put the host nation’s regulator at the head of the investigation and involve deliberation amongst all EU members as to the eventual penalty terms. This has proven to be a lengthy process, particularly when the Irish DPC is heading the investigation. The body opened a probe into Microsoft’s Windows 10 privacy practices in August 2019, which remains unresolved over three years later as the operating system is steadily being supplanted by Windows 11. The case stemmed from a request made by the the Dutch Data Protection Agency, which determined the operating system violated its national privacy laws in 2017.
CNIL has made clear at this point that it intends to be active with its ePrivacy Directive powers, issuing a number of fines to major tech firms that usually take refuge from speedy penalty decisions in Dublin. It has recently hit both Google (€150 million) and Facebook parent Meta (€60 million) over cookie consent issues. It does also remain possible that Microsoft could face GDPR action under that regulation’s cookie consent terms, as well as independent action from other DPAs in the bloc.
Microsoft appears to have accepted the cookie consent fine, but issued a statement pushing back against the decision to penalize the company for the deployment of its cookies that are used to combat ad fraud. However, there is a general industry trend away from the use of these cookies as Google and other tech platforms have pledged to phase in more privacy-focused tracking method. Many are already turning away from ad fraud cookies and either implementing or planning for new measures, the most popular of which is device fingerprinting; this is not expressly forbidden by the GDPR, but does require clear disclosure and permission similar to the cookie consent rules.