{"id":2208,"date":"2024-11-29T14:26:53","date_gmt":"2024-11-29T13:26:53","guid":{"rendered":"https:\/\/blog.eprivacy.eu\/?p=2208"},"modified":"2024-11-29T14:26:53","modified_gmt":"2024-11-29T13:26:53","slug":"german-court-holds-microsoft-liable-for-third-party-privacy-violations-in-microsoft-advertising","status":"publish","type":"post","link":"https:\/\/blog.eprivacy.eu\/?p=2208","title":{"rendered":"German court holds Microsoft liable for third-party privacy violations in Microsoft Advertising"},"content":{"rendered":"\n<figure class=\"wp-block-table\"><table><tbody><tr><th class=\"has-text-align-left\" data-align=\"left\"><strong>The\u00a0Microsoft Advertising\u00a0service allows\u00a0businesses\u00a0to\u00a0display personalised advertising and\u00a0to measure their audience.\u00a0It uses\u00a0cookies and similar technologies, in particular\u00a0a\u00a0so-called \u2018UET tag\u2019.\u00a0<br>\u00a0<br>In a case\u00a0before the\u00a0court of Frankfurt (judgment of 27 June 2024,\u00a0case\u00a0no. 6 U 192\/23),\u00a0a\u00a0data subject\u00a0requested that\u00a0Microsoft&#8217;s Irish subsidiary refrain from placing cookies on her device and using similar technologies without her\u00a0prior\u00a0consent. She also demanded that\u00a0it\u00a0refrain from reading\u00a0out\u00a0information on her device for advertising purposes. Prior to this, the data subject had visited several third-party websites\u00a0using\u00a0Microsoft Advertising without\u00a0giving advertising consent through publishers\u2019 Consent Management Platforms (CMPs).\u00a0<br>\u00a0<br>Microsoft provides\u00a0a\u00a0toolkit to\u00a0publishers\u00a0to integrate Microsoft Advertising into their websites. In addition,\u00a0it contractually requires\u00a0them to obtain the necessary consent.<br>\u00a0<br>However, this\u00a0was not enough for the\u00a0court\u00a0to exonerate Microsoft,\u00a0granting the data subject injunctive relief.\u00a0The court held\u00a0Microsoft\u00a0itself\u00a0responsible for ensuring that the necessary consent has been obtained from data subjects before cookies or similar technologies are used or before information is read out from a device, as required under the German implementation of the EU ePrivacy Directive. The law applies to all businesses that store information on devices or that want to read out information on them \u2013 ultimately, therefore, also to Microsoft, even if the (correct) implementation of the Microsoft Advertising service is the responsibility of (and can only be done by) the website operator. However, Microsoft cannot simply rely on their compliance.<br>\u00a0<br>The decision of the Frankfurt court shows similarities to a 2023 French case, in which the ad tech company Criteo was fined \u20ac40 million by the French data protection supervisory authority CNIL, among other things for failing to take measures to ensure that the necessary consent was obtained by website operators using the Criteo service (we have covered this case in an earlier newsletter).\u00a0<br>\u00a0<br>The fact that this issue has now also reached courts at the national level should be a call to action for all businesses in the online marketing sector. Anyone who offers advertising and tracking technologies should ensure that all their users obtain the necessary consent in a compliant fashion. In particular, data vendors must be able to demonstrate the validity of the consent that their publishers have obtained to the data protection authorities upon request.<br>\u00a0<br>(Dr. Lukas Mezger, UNVERZAGT Rechtanw\u00e4lte)<\/strong><\/th><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The\u00a0Microsoft Advertising\u00a0service allows\u00a0businesses\u00a0to\u00a0display personalised advertising and\u00a0to measure their audience.\u00a0It uses\u00a0cookies and similar technologies, in particular\u00a0a\u00a0so-called \u2018UET tag\u2019.\u00a0\u00a0In a case\u00a0before the\u00a0court of Frankfurt<\/p>\n<p class=\"link-more\"><a class=\"myButt \" href=\"https:\/\/blog.eprivacy.eu\/?p=2208\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2208"}],"collection":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2208"}],"version-history":[{"count":1,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2208\/revisions"}],"predecessor-version":[{"id":2209,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=\/wp\/v2\/posts\/2208\/revisions\/2209"}],"wp:attachment":[{"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eprivacy.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}