Deliberation of the Restricted Committee concerning Microsoft Ireland Operations Limited

€60,000,000 in fines


The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.

Our analysis

In 2020 and 2021, the French data protection authority, CNIL, conducted an investigation into Microsoft's search engine, "", following a complaint about the site's cookie deposition practices. The investigation revealed that when users visited the search engine, cookies were being deposited on their terminals without their consent, and these cookies were being used for advertising purposes. Furthermore, it was discovered that there was no option for users to easily refuse cookies. It took two clicks to refuse all cookies, compared to just one click to accept them. The CNIL committee considered this to be a violation of users' freedom of consent as it discouraged users from refusing cookies and favored the ease of accepting them.
During the investigation, the CNIL delegation followed the path of a typical user to identify if cookies were being placed on the user's equipment. They visited the "" domain and continued browsing the search engine without clicking on any of the buttons or links displayed on the cookie management banner. Eventually, they were blocked by a pop-up window and clicked on the "Privacy statement" and "More options" links located on the window. From the "More options" link, the delegation authorized the deposit of cookies on their terminal by clicking on the "Allow all" button. The Restricted Committee concluded that until March 29, 2022, when a "Refuse all" button was implemented, the conditions for collecting consent that were offered to users constituted a violation of the law. The committee believed that the more complex refusal mechanism discouraged users from refusing cookies and encouraged them to favor the ease of the consent button appearing in the first window.


Despite arguments made by MIOL that "" was in a vulnerable position in a market dominated by one player, the outcome of the case was determined by several factors. These included the extent of illegal data processing, which impacted 11 million unique visitors in September 2020, the fact that "" was the second strongest player in the search engine market, the default use of the search engine for Windows queries, and the financial gains obtained by MIOL from the breach. As a result of the case, the DPA imposed a fine of EUR 60,000,000 on MIOL and required them to rectify their cookie implementation. Failure to comply with this requirement would result in a penalty payment of EUR 60,000 per day after the DPA's deadline.


French DPA, the National Commission for Computing and Liberties (CNIL) and Microsoft Ireland Operations Limited (MIOL)

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us