The Commission Nationale de l'Informatique et des Libertés (CNIL) has fined Discord 800,000 euros. After an investigation, the French regulator concluded that the platform kept data from inactive accounts for too long. The password policy was also not in order. Meanwhile, Discord does comply with European privacy laws.
CNIL announces this in a press release (1).
Discord is a platform used primarily by gamers to chat with others. This is done via text and voice in so-called video rooms. It is headquartered in the United States.
The French regulator has found that Discord violated several European privacy rules. For starters, the platform had no data retention policy, or policy for keeping user data. The company had data of 2,474,000 French users in its database that had not been used for three years. In addition, there were 58,000 accounts that had been inactive for at least five years. That violated Article 5.1.e of the General Data Protection Regulation (GDPR).
CNIL reports that Discord does now have a written data retention policy. This states, among other things, that accounts that have been inactive for two years will be deleted.
CNIL also criticized Discord's password policy. Users who created an account on the gaming platform could only set a six-character password. A password with only six characters is not good enough to protect gamers' data, in violation of Article 32 AVG, according to the privacy watchdog. From now on, users must provide a password of at least eight characters. After 10 failed login attempts, a CAPTCHA will appear on the screen that must be resolved in order to log in.
A gamer who was logged into a voice channel and closed the application by pressing he X icon in the upper right corner was actually still active. That's because the application continued to run unnoticed in the background. In doing so, Discord misled gamers. The platform should have informed users that their voice could still be heard by others. This is in violation of Article 25.2 AVG.
Users who press the X icon for the first time will now see a pop-up window. In it, Discord tells them that it is possible to set the application to shut down completely when they press this button.
Finally, the gaming platform did not consider it necessary to conduct a Data Protection Impact Assessment (DPIA) or data protection impact assessment. CNIL disagreed, saying Discord processes large amounts of personal data, especially from minors. Article 35 AVG states that companies and organizations are then required to conduct an analysis. The platform has since conducted multiple DPIAs and concluded that no individual rights and freedoms are violated.
Because of these violations, CNIL found it appropriate and proportionate to impose a fine of 800,000 euros on Discord. The amount of the fine was determined based on the breaches found and the number of individuals involved. The French regulator took into account the company's efforts during the investigation to comply with European privacy rules "and the fact that its business model is not based on the exploitation of personal data."
https://www.cnil.fr/en/discord-inc-fined-800-000-euros
