General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Discord Fined by French CNIL for GDPR Violations

Video Streamer Pays 800,000 Euros to Settle Probe of Privacy and Security Practices
Discord Fined by French CNIL for GDPR Violations

Video streaming platform Discord will pay 800,000 euros to French authorities after an investigation questioned its data protection practices and compliance with the General Data Protection Regulation.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The National Commission on Informatics and Liberty - known as CNIL - says Discord violated the pan-European privacy rule in a number of ways, including by not disconnecting a voice chat when a user clicks the "X" icon at the top right of a window.

As CNIL notes, clicking the "X" in most Windows applications terminates the program, but in Discord's case, it just put the application in the background, leading to the possibility that a speaker may have said things they thought were private but were shared with everyone else logged onto the voice chat.

French authorities say Discord now warns users via a pop-up window that Discord is still running and that uses can change the settings to shut the application down rather than minimize it by clicking the "X" icon.

The investigation also dinged Discord for allowing users to get away with weak passwords of just six alphanumeric characters. The service now requires users to have an eight-character password that includes all four character types and poses a CAPTCHA challenge after 10 unsuccessful login attempts.

The company also committed to deleting accounts after two years of inactivity to comply with GDPR data retention policies.

CNIL says the size of the fine takes into account efforts made by Discord to resolve concerns "and the fact that its business model is not based on the exploitation of personal data."

Earlier this year, the French data protection authority fined Facebook 60 million euros for not allowing users to refuse tracking cookies. Facebook's business model depends on collecting and analyzing user data to offer advertisers a targeted audience.

In an email, a Discord spokesperson told Information Security Media Group that the CNIL report "is based on product features and practices from 2020 that have since been updated." The company appreciates "the opportunity to engage with CNIL as protecting user privacy is very important to us," the spokesperson also said.


About the Author

Akshaya Asokan

Akshaya Asokan

Consultant Editor, ISMG

Asokan is a consultant editor for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.