French data agency fines Microsoft $63 million for Bing cookie violations

France’s data privacy watchdog has issued Microsoft a more than $63 million fine for several violations related to how the Bing search engine handles cookies. 

During an investigation from September 2020 until May 2021, France’s Commission nationale de l'informatique et des libertés (CNIL) found that when users visited Bing.com, “cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes.” This was in violation of France’s Data Protection Act.

Cookies are files created by websites as a user visits them, saving browsing information on the device and within the web browser.

“When users visited the search engine... a cookie with several purposes, including the fight against advertising fraud, was automatically deposited on their terminal without any action on their part,” CNIL said in a decision made public on December 22. 

“Furthermore, when they kept browsing the search engine, a cookie with an advertising purpose was placed on their terminal, again without their consent being collected. However, the law requires that this type of cookie be deposited only after the users have expressed their consent.”

CNIL added that the search engine offered a button to accept cookies immediately but no equivalent solution to allow users to refuse cookies. Two clicks were needed to refuse all cookies, while only one was needed to accept them, CNIL explained. 

“The committee noted that making the refusal mechanism more complex actually discourages users from refusing cookies and encourages them to prefer the ease of the consent button in the first window,” the agency said. 

“It considered that such a procedure infringed on the freedom of consent of Internet users.”

While Microsoft implemented a “Refuse All” option in late March 2022, the agency found that until that point the company was in breach of French law.   

They justified the €60 million fine because of the number of cookies processed, the number of users involved and the advertising profits Microsoft “indirectly generated from the data collected via cookies.” 

CNIL also issued an order for the company to get consent for cookies "and tracers with advertising purposes" for individuals living in France within three months, or it would be subject to a daily €60,000 fine.

The CNIL fined MICROSOFT IRELAND OPERATIONS LIMITED 60 million euros, in particular for not allowing the users to refuse #cookies as easily as accepting them https://t.co/Rdl1AUIWRF pic.twitter.com/Zu7lvzYeaU

— CNIL_en (@CNIL_en) December 22, 2022

A Microsoft spokesperson said they "fully cooperated with the CNIL" and introduced changes to their cookie practices "even before this investigation started."

"We continue to respectfully be concerned with the CNIL’s position on advertising fraud," the spokesperson said. "We believe the CNIL’s position will harm French individuals and businesses by allowing fraud to spread online.”

In January, CNIL fined Google €150 million (about $159.6 million) and Facebook €60 million ($63.86 million) for similarly failing to provide an equally easy-to-find button allowing users to decline cookies. 

“The commission considered that this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent,” they said.