A €60 million ($63.88 million) fine has been levied against Microsoft’s Ireland subsidiary by France’s privacy authority for placing advertising cookies on customers’ computers without getting their permission, a violation of EU data protection laws.
Users of Microsoft’s Bing search engine did not have a “tool to refuse cookies as simply as accepting them,” according to the Commission Nationale de l’Informatique et des Libertés (CNIL).
In response to a complaint it received in February 2020, the authority conducted an online audit between September 2020 and May 2021 and found that the tech giant had placed cookies without first obtaining the user’s consent, as is required by law, in order to deliver adverts and combat advertising fraud.
Microsoft has been ordered to change its cookie policies within three months in addition to paying the fines, failing which it would be subject to a daily penalty of €60,000.
The maker of Windows claimed in a statement provided to the Wall Street Journal that it has already made adjustments to include a choice to reject advertising cookies. However, it voiced worry that consent from people “intending to mislead others” shouldn’t be required for cookies used to detect ad fraud.
The sanctions levied against CNIL are part of a larger campaign against large internet firms and come soon after similar financial penalties levied against Meta Platforms and Google’s parent company Alphabet in early January.
The agency also levied fines against Discord and electricity company Électricité de France (EDF) last month for failing to adhere to GDPR data retention policies and using shoddy encryption algorithms to secure passwords, respectively.