Excerpt
The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.
Our analysis
In 2020 and 2021, the French data protection authority, CNIL, conducted an investigation into Microsoft's search engine, "bing.com", following a complaint about the site's cookie deposition practices. The investigation revealed that when users visited the search engine, cookies were being deposited on their terminals without their consent, and these cookies were being used for advertising purposes. Furthermore, it was discovered that there was no option for users to easily refuse cookies. It took two clicks to refuse all cookies, compared to just one click to accept them. The CNIL committee considered this to be a violation of users' freedom of consent as it discouraged users from refusing cookies and favored the ease of accepting them.
During the investigation, the CNIL delegation followed the path of a typical user to identify if cookies were being placed on the user's equipment. They visited the "bing.com" domain and continued browsing the search engine without clicking on any of the buttons or links displayed on the cookie management banner. Eventually, they were blocked by a pop-up window and clicked on the "Privacy statement" and "More options" links located on the window. From the "More options" link, the delegation authorized the deposit of cookies on their terminal by clicking on the "Allow all" button. The Restricted Committee concluded that until March 29, 2022, when a "Refuse all" button was implemented, the conditions for collecting consent that were offered to users constituted a violation of the law. The committee believed that the more complex refusal mechanism discouraged users from refusing cookies and encouraged them to favor the ease of the consent button appearing in the first window.
Outcome
Despite arguments made by MIOL that "bing.com" was in a vulnerable position in a market dominated by one player, the outcome of the case was determined by several factors. These included the extent of illegal data processing, which impacted 11 million unique visitors in September 2020, the fact that "bing.com" was the second strongest player in the search engine market, the default use of the search engine for Windows queries, and the financial gains obtained by MIOL from the breach. As a result of the case, the DPA imposed a fine of EUR 60,000,000 on MIOL and required them to rectify their cookie implementation. Failure to comply with this requirement would result in a penalty payment of EUR 60,000 per day after the DPA's deadline.
Parties
French DPA, the National Commission for Computing and Liberties (CNIL) and Microsoft Ireland Operations Limited (MIOL)
Case number
SAN-2022-023
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.