The French regulator said that after investigations it was found that:
When users visit this website, cookies are deposited on their terminal without their consent, while these cookies are used, among other things, for advertising. It also noted that there is no button that allows the depositing of cookies to be easily refused.
The CNIL said the fine was due in part to the profit the company made from advertising revenue it made indirectly from data collected through cookies — small data files that track online browsing. Bing offered a button for the user to immediately accept all cookies, but it took two clicks to reject them, he said.
The company has three months to rectify the situation, with a possible additional fine of €60,000 per day of delay. The fine was issued to Microsoft Ireland, where the company’s European base is located.
Microsoft said in a statement:
We made important changes to our cookie practices even before this research began. We remain concerned about the CNIL’s stance on ad fraud. “France’s watchdog position harms French individuals and companies”.
When a user visits a website, cookies are installed on their computer and allow browsers to store information about their session. They are invaluable to tech platforms as ways to personalize ads — a major source of revenue for companies like Facebook and Google.
But privacy advocates have long backed away from the issue. Since the European Union passed the Personal Data Act in 2018, Internet companies have faced stricter rules that require them to obtain consent from users before installing cookies.
The two companies are also facing scrutiny over the way they send personal data of EU residents to US servers. And tech giants continue to grapple with multiple cases across Europe.
Earlier this month, the European Data Protection Authority imposed binding decisions on the processing of personal data by Meta, which owns Facebook, Instagram and WhatsApp.
The European data protection watchdog said in a statement that the decisions relate to the use of meta data for targeted advertising, but did not provide details of its decision or recommended fines. The latest case follows a complaint by privacy campaign group Noyb that the three Meta apps do not comply with strict European data protection laws.