Reading it in translation, seems they identified the following as breaches:
1. When you visited bing.com they always dropped an ad fraud detection cookie.
2. After clicking around on bing.com, without clicking yes on any of the banners, it would drop an ads cookie.
3. On their cookie banner, rejecting took two clicks while accepting took one.
On 1, Microsoft argued that detecting ad fraud was "strictly necessary" for running bing.com, but the court disagreed, saying that advertising is not a service requested by the user. (point 53 in the full decision).
On 2, Microsoft said it was an accident and had already stopped, though not before CNIL asking them about it
On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.
This isn't about advertising - you can still advertise just fine, even more so on a search engine where the benefit of tracking is limited as the user explicitly tells you what they're searching for.
They were fined for tracking to detect ad fraud. Advertisers are paying per click, often quite a lot, and if you charge them for clicks that don't represent real humans they get grumpy and go advertise somewhere else.
For that matter, browser + ip fingerprinting can be server-tracked anyway, if less reliably overall. Especially with JS enabled. There are lots of tricks that can be used for this.
Aside, wonder how good/bad ip+agent fingerprinting could be combined with a url that feeds a small randomly generated string with a VERY long cache expiration, with server/proxy no-cache headers (e-tag per agent/ip). Effectively similar to a cookie, without technically being a cookie.
Not clear in this case, since while detecting ad fraud doesn't meet the "strictly necessary" requirements of ePrivacy (necessary for storing the cookie on your machine) it is still an open question whether the GDPR requires user consent for it. (Lawyers at advertising companies think that you don't, but that doesn't mean they're right)
Interesting. One quirk of browsing sites with JS disabled is that the cookie banners rarely show up. Often, they are implemented as scripts loaded from a site like "cookielaw.org".
I've long suspected that these sites default to dropping cookies when my consent is neither asked for nor received, as MS appears to have done here.
It's good to hear that such behavior is probably illegal in the EU.
It's in violation of various EU privacy laws like GDPR and the ePrivacy Directive.
They get discussed a lot here on HN so it's easy to assume everyone's familiar with them, but if you're not then you should search up a summary on them.
That would conflict with normal cookie terminology, where cookies are "set" and packets are "dropped".
But much more importantly, it is completely impossible in the context of the thread:
> [Accusation 3.] On their cookie banner, rejecting took two clicks while accepting took one.
> On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.
> Microsoft argued that (a) rejecting was not actually required to be as easy as accepting
The regulation explicitly says so. Easy way to accept, reject and choose. A lot of companies seem to be violating the law in that one. By making it difficult for people to reject cookies.
Reading the article, it's the French Data Protection Act, which is the french incorporation of various data privacy laws into french law. Where is your claim that it's based solely on the ePrivacy Directive coming from?
The decision considers both, but the decision is combining two regulations: one that says you need to get consent before using storage for purposes that aren't 'strictly necessary' (ePrivacy) and another that says how consent for the processing of personal data must be collected (GDPR). This is not the same as a regulation that explicitly says how consent for storage must be gathered, and before this decision it was not clear how the two regulations interacted on this point.
The constraints on use of client-side storage aren't reiterated in the GDPR: they are only in the ePrivacy Directive and the upcoming ePrivacy Regulation. The interaction between the GDPR and ePrivacy was not obvious on this point.
Civil law does not leave room for such creative interpretations. Even if the storage is being done client-side, as long as the company can access and use it, they will be considered to be having that information. Then GDPR will kick in. Note that cookies are also stored client side.
Sorry, I wasn't saying that Microsoft was claiming not to have access to the information. I was saying that the interaction between two different rules was unclear before this decision:
1. The ePrivacy Directive says that before setting anything in client-side storage you must have the consent of the user unless it is strictly necessary for performing an operation requested by that user.
2. The GDPR requires consent from the user before using their personal data in a bunch of different ways, and provides a lot of details on how that consent may be collected to be considered valid.
My interpretation of Microsoft's behavior here is that they were compliant with (1) and (2) individually, but the problem was the way they were collecting consent for (1) did not follow the requirements of (2).
When the permission is withdrawn, the other party cannot collect more data. And the existing data that they collected would need to be deleted if the user asks them to. If the withdrawal of permission also involves permissions regarding data storage and processing, it would mean that the company would need to destroy any personal data that they have.
If withdrawing is meant to be “undo consent”, how would you make that as easy as the initial “one click to consent”? Would you not have to show a banner on every page view, with a one click option to “withdraw”?
You'll have to go and ask the legislators what they were imagining. Thankfully it's not being interpreted quite as literally. Sometimes pragmatism saves the day.
Reading it in translation, seems they identified the following as breaches:
1. When you visited bing.com they always dropped an ad fraud detection cookie.
2. After clicking around on bing.com, without clicking yes on any of the banners, it would drop an ads cookie.
3. On their cookie banner, rejecting took two clicks while accepting took one.
On 1, Microsoft argued that detecting ad fraud was "strictly necessary" for running bing.com, but the court disagreed, saying that advertising is not a service requested by the user. (point 53 in the full decision).
On 2, Microsoft said it was an accident and had already stopped, though not before CNIL asking them about it
On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.