DISCORD INC. – €800,000 Fine (France, 2022)

€800,000Commission Nationale de l'Informatique et des Libertés10 November 2022France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

France fined Discord EUR 800,000 for not properly managing user data and security. Discord kept inactive accounts for too long and didn't secure user passwords well. This matters because it highlights the importance of data protection and security for online services.

What happened

Discord failed to set proper data retention periods and allowed insecure passwords.

Who was affected

French users of Discord, especially those with inactive accounts for over three years.

What the authority found

The French authority found Discord violated GDPR by not securing personal data and failing to set proper data retention policies.

Why this matters

This case emphasizes the need for companies to regularly review data retention policies and ensure strong password security. It signals to online platforms the importance of protecting user data even after accounts become inactive.

GDPR Articles Cited

AI-verified

Art. 13 GDPR
Art. 32 GDPR
Art. 35 GDPR
Art. 5(1)(e) GDPR
Art. 25(2) GDPR
View original scraped data
Art. 5(1)(e) GDPR
Art. 13 GDPR
Art. 25(2) GDPR
Art. 32 GDPR
Art. 35 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll DISCORD INC. actions
Full Legal Summary
Detailed

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years. Further, the DPA noted that the company did not have complete information regarding retention periods. Also, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR. Thus, it was possible for user data to be transmitted even after the communication application was closed. The DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users. The company accepted user passwords that consisted of six characters containing only letters and numbers. Finally, the DPA found that the company had failed to conduct a data protection impact assessment.

Related Enforcement Actions (0)

No other enforcement actions found for DISCORD INC. in FR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

10 November 2022

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€800,000

Enforcement Tracker ID

ETid-1496

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. DISCORD INC. - France (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: