Discord was fined 800,000 euros (U.S. $829,000) by the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), in violation of GDPR. The General Data Protection Regulation (GDPR) is a European Union regulation that strengthens and unifies personal data protection for all European Union (EU) citizens.
The investigation conducted by CNIL focused on the methods of data processing by Discord Inc. The investigation involved the platform’s website and mobile application. In 2020, CNIL also conducted a documentary inspection by sending a questionnaire to the company.
The CNIL has ascertained the following violations by Discord:
- Failure to define and comply with a data retention period appropriate to the purpose;
- Non-compliance with the data subject’s obligation to inform;
- No data protection by default;
- Failure to guarantee the security of personal data;
- Failing to do a data protection impact assessment
Discord saved 2,474,000 accounts of French users who had not used their account in more than three years and 58,000 accounts that had not been used in more than five years, with no particular reason or justification provided by the organization. The platform kept the data of inactive users longer than necessary and let the users use passwords that were too simple.
In determining the fine amount, the authority took into account the violations ascertained, the number of people involved, and the efforts in any case made by the company during the proceeding to be able to guarantee the resolution of the critical issues identified, as well as the fact that the primary business model of the company does not consist the use of personal data provided by the user.
CNIL also warned that once the Discord window is closed, the user is not automatically logged out of the voice chat. To solve this problem, the platform has installed a pop-up window that warns people that the application can run in the background after the window is closed.