Discord – €800,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
France's data protection authority fined Discord EUR 800,000 for not having a proper data retention policy and for keeping inactive user accounts for too long. Discord also failed to inform users that their app continued running in the background after closing. This case shows the importance of clear data policies and user notifications.
What happened
Discord was fined for not having a clear data retention policy and for failing to inform users that their app continued running in the background.
Who was affected
Discord users in France, especially those with inactive accounts or using the app on Windows.
What the authority found
The French authority found Discord violated data protection rules by lacking a clear data retention policy and not informing users about the app's background activity.
Why this matters
This case highlights the need for companies to establish clear data retention policies and ensure users are informed about how their applications operate, particularly regarding privacy and data handling.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The French DPA (CNIL) started an investigation into Discord, a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online using text, voice - and video. The investigation service of the DPA determined several shortcomings. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete user accounts after two years of inactivity. The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller changed this element of the privacy policy during the procedure. The investigation service also addressed a specific problem about the application for Microsoft Windows: when a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the controller's software. The data subject was not informed about this background minimization. During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the application window was closed for the first time. The controller also informed data subjects that this se
Related Enforcement Actions (0)
No other enforcement actions found for Discord in FR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 November 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€800,000
GDPRhub ID
gdprhub-5487About this data
Cite as: Cookie Fines. Discord - France (2022). Retrieved from cookiefines.eu
Last updated: