Discord Fined by French CNIL for GDPR ViolationsVideo Streamer Pays 800,000 Euros to Settle Probe of Privacy and Security Practices
Video streaming platform Discord will pay 800,000 euros to French authorities after an investigation questioned its data protection practices and compliance with the General Data Protection Regulation.
The National Commission on Informatics and Liberty - known as CNIL - says Discord violated the pan-European privacy rule in a number of ways, including by not disconnecting a voice chat when a user clicks the "X" icon at the top right of a window.
As CNIL notes, clicking the "X" in most Windows applications terminates the program, but in Discord's case, it just put the application in the background, leading to the possibility that a speaker may have said things they thought were private but were shared with everyone else logged onto the voice chat.
French authorities say Discord now warns users via a pop-up window that Discord is still running and that uses can change the settings to shut the application down rather than minimize it by clicking the "X" icon.
The investigation also dinged Discord for allowing users to get away with weak passwords of just six alphanumeric characters. The service now requires users to have an eight-character password that includes all four character types and poses a CAPTCHA challenge after 10 unsuccessful login attempts.
The company also committed to deleting accounts after two years of inactivity to comply with GDPR data retention policies.
CNIL says the size of the fine takes into account efforts made by Discord to resolve concerns "and the fact that its business model is not based on the exploitation of personal data."
Earlier this year, the French data protection authority fined Facebook 60 million euros for not allowing users to refuse tracking cookies. Facebook's business model depends on collecting and analyzing user data to offer advertisers a targeted audience.
In an email, a Discord spokesperson told Information Security Media Group that the CNIL report "is based on product features and practices from 2020 that have since been updated." The company appreciates "the opportunity to engage with CNIL as protecting user privacy is very important to us," the spokesperson also said.