Introduction
At the end of December France’s data protection authority, CNIL, announced another large fine for non-compliance with cookies laws, this time for Microsoft who received a fine of €60m. It is just the latest in a long line of high cookies fines. Cookies have been on the agenda for many DPAs with recent enforcement activity in Belgium, Czech Republic, Denmark, Finland, Germany, Netherlands, Norway and Spain in addition to the French campaign.
What was this case about?
CNIL said that it acted on complaints about the use of cookies on the bing.com website controlled by Microsoft Ireland Operations Limited. It carried out checks on the website in September 2020 and May 2021 and said that cookies were placed on a user’s device without consent including to support advertising on the site. The bing cookie banner was not compliant. We have seen many complaints that cookies banners are not compliant and it is a real area of focus for regulators currently.
We’ve talked before in our alerts about the need to make sure that cookie banners are set up so that it is as easy to reject cookies as to accept them. In this case CNIL said two clicks were required to refuse all cookies and only one to accept them.
What was the Penalty?
CNIL imposed a fine of €60m. It has also adopted an injunction giving Microsoft 3 months to change its cookie practices. If it does not, Microsoft will be liable to pay an additional fine of €60,000 per day.
According to CNIL, Microsoft made changes to its cookie practices in March 2022 but CNIL requires more work to be done.
As in other cases, CNIL says that it is competent to take action without having to refer the case to Ireland as Microsoft’s lead DPA under the GDPR One-Stop-Shop procedure. This isn’t the first time CNIL has bypassed One-Stop-Shop. This was also a feature of similar enforcement action against Google and Amazon https://www.corderycompliance.com/cnil-cookies-investigation/ It would potentially be open for other DPAs across the EU to take parallel action.
Previous Complaints
The complaints CNIL have referred to are likely part of an ongoing campaign that NOYB has launched looking at compliance with GDPR and with specific EU cookie laws. We looked at the background to these complaints last year here https://www.corderycompliance.com/cookie-enforcement-rising/. The European Data Protection Board (EDPB) launched a special task force in September 2021 to coordinate the response across the EU to cookie banner complaints filed by NOYB. That task force is exchanging views on legal analysis and possible infringements, providing support to national DPAs and streamlining communication. We know from our experience of dealing with these claims that they are not to be taken lightly.
At the same time CNIL is also looking at similar tracking technology in mobile apps. It has been investigating Apple over tracking technology in its iOS 14 operating system. On 4 January 2023 CNIL announced a fine for Apple of €8m. In the Apple case CNIL acted on a complaint from another pressure group, France Digitale. Again CNIL bypassed One-Stop-Shop.
Practical steps to compliance
To manage their cookie compliance risk businesses should consider undertaking an overall cookie compliance audit. That may include the following:
- Identifying cookies that are either operating on or through your websites.
- Confirming what types of cookies they are.
- Confirming whether there is any third party access to the cookies.
- Determining cookie lifespan and deciding whether the duration is justifiable for the stated purpose (for example we have seen retention periods of more than 100 years which will be very hard to justify).
- Confirming the purposes of each of the cookies that are used/intended to be used.
- Identifying the data that each cookie holds or processes.
- Confirming if the cookies are linked to other information held about users (either by you or by third parties such as Google, Facebook and Microsoft) and whether the use of cookies involves processing personal data.
- Reviewing consent mechanisms – ask yourself: is it as easy to reject cookies as to accept them? Be especially aware of ‘nudging’, the colours you use and the look and feel of any cookies banner.
- Setting out an action plan to address these issues and fully documenting the audit.
- Updating your cookies policy & cookies banner to make sure it is accurate & consistent.
- Looking at compensation claim risk and having a plan to deal with claims quickly. We have seen a rise in threatened cookies claims, some with more merit than others.
- Keeping abreast of changes in the law – some changes are coming with cookies laws and you’ll need to keep up to date.
Whilst Apple has made changes to its operating system since the period CNIL investigated anyone using apps would be wise to consider a similar exercise for the data in their apps too.
More Information
You can find out more about Cordery’s fixed fee cookies clinic to check your compliance here https://www.corderycompliance.com/more-cordery-solutions/cordery-cookies-clinic/.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
There are details of the Microsoft fine here https://www.cnil.fr/fr/cookies-sanction-de-60-millions-deuros-lencontre-de-microsoft-ireland-operations-limited and details of the Apple fine here https://www.cnil.fr/en/advertising-id-apple-distribution-international-fined-8-million-euros.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |