The sanction came after the CNIL carried out several investigations over a complaint relating to the conditions for depositing cookies on “bing.com”. The CNIL’s decision was based on breaches of Article 82 of the French Data Protection Act. In particular, it is found that:
– When a user visited the search engine “bing.com”, a cookie serving several purposes, including the fight against advertising fraud, was automatically placed on their terminal without any action on their part.
– Moreover, when a user continued to browse on the search engine, a cookie with an advertising purpose was deposited on their terminal, without their consent having been obtained. This constitutes a violation of the Act as it requires that this type of cookies be placed only after users have consented.
The decision also highlighted the absence of a compliant means of obtaining consent for the deposit of cookies. It was stated that although the search engine offered a button to accept cookies immediately, it did not provide an equivalent solution (e.g. button to refuse) to allow the user to refuse them as easily as accepting them. This is because Bing offered one button for the users to accept all cookies, while two clicks were needed to refuse all cookies.
It was noted that complex refusal mechanisms are likely to discourage users from refusing cookies, instead, it encourages them to prefer the ease of the consent button appearing in the first window, which ultimately violates the freedom of consent of Internet users.
In deciding the amount of the fine, the CNIL regarded the scope of the processing, the number of data subjects, as well as the benefits that the company derives from the advertising profits indirectly generated from the data collected via cookies.
How does your organisation handle cookies? Contact us, experts in data privacy, if you want to learn more via: email@example.com.