French data protection authority CNIL has penalized Microsoft €60 million ($64 million) for forcing advertising cookies on customers.

Microsoft received the largest fine imposed by the CNIL this year because it failed to provide users of its Bing search engine with a sufficient way to decline cookies. “There was no button allowing to refuse the deposit of cookies as easily as accepting it”, the regulator observed.

According to the French authority, investigations revealed that “when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes”.

Not the first, not the last

The CNIL stated that the sanction was warranted due to the company indirectly producing advertising profits from data obtained via cookies, which are small files that monitor web activity.

The organization has been given three months to fix the problem, with a maximum fine of €60,000 euros for every day overdue.

The CNIL frequently audits sites that fail to meet cookie guidelines set by the GDPR. The regulator fined Google and Facebook €150 million and €60 million, respectively, for similar violations last year.

Risky cookies

When someone visits a website and accepts cookies, small files are stored on their computer, allowing web browsers to track their activity.

Cookies are extremely useful to internet platforms that personalize advertisements, which is the major source of revenue for giants like Facebook and Google. However, privacy activists have long resisted the practice.

Ever since the European Union implemented the GDPR in 2018, internet companies have faced stricter laws requiring them to properly obtain consent from users before deploying cookies.