Discord, a popular communication service primarily utilized by the video game community, was assessed a fine of 800,000 euros (U.S. $829,000) by the French data protection authority for multiple violations of the General Data Protection Regulation (GDPR) related to safeguarding user data.
The CNIL announced the penalty Thursday following an investigation into the U.S. company’s compliance with the GDPR. The probe uncovered a handful of requirements under the data privacy law that were not being met. The CNIL noted that Discord addressed each deficiency.
“The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data,” the regulator said.
The details: The alleged GDPR violations largely related to data retention periods and security of personal data. For example, the CNIL said it found more than 2.4 million French user accounts in Discord’s database that hadn’t been used for at least three years. The company, which did not have a written data retention policy, updated its controls and now deletes accounts after two years of inactivity, according to the regulator.
The company was also faulted for failing to carry out a data protection impact assessment, believing it to be unnecessary. The CNIL, citing Discord’s popularity among minors, disagreed, and the company carried out two impact assessments for its processing related to its core services.
Other lapses noted included poor password management and an issue where users might have believed they exited a voice chat despite still being heard by other members of the chat. Discord improved its minimum password requirements and added a pop-up window to ensure users know when the application is still running after their exit from a chat.
Discord response: “Discord was created to be a place where people can come together and find belonging. Respecting user data and privacy is core to that mission,” said a company spokesperson. “We appreciate the opportunity to engage with CNIL as protecting user privacy is very important to us.
“The report is based on product features and practices from 2020 that have since been updated. We’re committed to working with regulators around the world, and we continuously update our product and policies to better serve our users and meet our obligations.”