Microsoft has been ordered to take action against storing cookies without users’ consent. In a recent ruling dated 23 July 2024, the Higher Regional Court of Frankfurt am Main, Germany, declared that Microsoft should be responsible for providing evidence that end-users have given their explicit consent before cookies are stored on their devices, even if the cookies used are dependent on website operators.
This ruling relates to the “Microsoft Advertising” service, an advertising platform that allows website publishers to display ads to users in the search results of the “Microsoft Search Network”. These advertisers rely on cookies to measure the effectiveness of their advertising campaigns.
Although Microsoft’s terms and conditions state that website operators are responsible for obtaining consent for the placement of cookies when using Microsoft’s advertising services, the Court found that this does not relieve Microsoft of its obligation to ensure that end-users have given their consent before cookies are placed on their devices.
This decision highlights the critical importance of obtaining consent for the processing of personal data. Under the GDPR, even minor breaches can result in fines of up to €10 million or, in the case of a company, up to 2% of its worldwide turnover in the preceding financial year, whichever is greater. As digital regulation in the EU expands and new laws such as the DSA and the AI Act come into force, it’s clear that obtaining user consent is essential.