Microsoft Ireland Operations Limited – €60,000,000 Fine (France, 2022)

€60,000,000Commission Nationale de l'Informatique et des Libertés19 December 2022France
final
ePrivacy
Fine

Microsoft Ireland Operations Limited was fined EUR 60 million by the French data protection authority for not getting proper consent before placing cookies on users' devices. This ruling is significant because it shows that companies must be clear about cookie use and obtain valid consent from users.

What happened

Microsoft placed cookies on users' devices without obtaining valid consent, violating privacy laws.

Who was affected

Users of the bing.com search engine who were tracked by cookies without their consent were affected.

What the authority found

The authority ruled that Microsoft failed to comply with consent requirements for non-essential cookies, violating GDPR and ePrivacy rules.

Why this matters

This ruling sets a strong precedent for cookie consent enforcement. Companies should review their cookie practices to ensure they comply with consent requirements.

GDPR Articles Cited

AI-verified

Art. 5(3) ePrivacy Directive GDPR
Art. 4(11) GDPR
View original scraped data
Art. 4(11) GDPR
Art. 5(3) ePrivacy Directive

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Article 82 of the French Data Protectoin Act
Source verified 2 April 2026
articles corrected
national law identified
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll Microsoft Ireland Operations Limited actions
Full Legal Summary
Detailed

On 21 February 2020, the French DPA, the National Commission for Computing and Liberties (CNIL), received a complaint directed at Microsoft Ireland Operations Limited (MIOL) regarding their domain "bing.com", a search engine. The complaint prompted the DPA to launch an investigation into "bing.com" to verify its compliance with the French law implementing the ePrivacy-Directive, the French "Data Protection Act", and the GDPR. In their investigation, the DPA's commissioned investigator, the "rapporteur", found issues regarding both (1) a lack of compliance with the obligation to acquire users' consent to install non-essential cookies on users' terminals and (2) a shortcoming of the consent that was acquired, since it did not meet the required legal conditions to be considered "valid" consent. The rapporteur presented their findings to be considered by the DPA. MIOL was given the opportunity to reply to the rapporteur's findings. On the topic of the first issue, the rapporteur reported that upon arrival of the bing.com site, and before any actions by the users were taken, a multi-purpose cookie named "MUID" was placed on the user's terminal. Upon request, MIOL explained that the cookie was used for advertisement purposes if users consented to it. However, if no consent was provided, the cookie was used for the detection of advertising fraud concerning non-targeted advertising. According to the rapporteur, the "broader purpose of contextual advertising" excluded the cookie from the consent exemptions of the Article 82 of the French Data Protection Act (implementing Article 5 of the ePrivacy-Directive), which is only applicable when (i) the cookie's exclusive purpose is to "allow" or "facilitate" communications by electronic means or (ii) the cookie is "strictly necessary for the provision of an online communication service at the express request of a user". The MIOL argued in response that fighting advertising fraud is strictly necessary for their service to ensure

Violations (4)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Misleading Banner Messaging
critical

The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).

Art. 7 GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Microsoft Ireland Operations Limited in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

unknown (claimant)

2021 · DPA OLGLinz

Details

Fine Date

19 December 2022

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€60,000,000

GDPRhub ID

gdprhub-5548

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. Microsoft Ireland Operations Limited - France (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: