Discord — Enforcement

moderateAnti-PrivacyMar 28, 2022 → Nov 17, 2022Enforcement

Executive Summary

France's data protection authority (CNIL) fined Discord €800,000 for multiple GDPR violations. Discord had no written data retention policy, with 2.47 million French accounts inactive for over three years still in its database. The CNIL also found that Discord's voice channel behavior — where closing the app window kept users connected and audible — violated data protection by default principles, and that its six-character password minimum was insufficiently secure.

Post LinkedIn Reddit Email

data-collection eu-compliance enforcement

What Happened

On November 17, 2022, France's data protection authority CNIL fined Discord 800,000 euros for multiple GDPR violations. The violations included lacking a written data retention policy, keeping 2.47 million French accounts that had been inactive for over three years, allowing passwords of only six characters, and failing to properly disconnect users from voice chats when they clicked the window close button. Discord has since updated its practices, now requiring eight-character passwords with all four character types, implementing a CAPTCHA after ten failed login attempts, warning users when Discord continues running in the background, and committing to delete accounts after two years of inactivity.

Who Is Affected

French Discord users were directly affected by these privacy and security shortcomings, particularly the 2.47 million accounts that remained in Discord's database despite years of inactivity. Users who closed the Discord window believing they had disconnected from voice channels were affected by unintended audio sharing. The enforcement action also impacts Discord users more broadly as the company has implemented password and security improvements across its platform.

Why It Matters

This enforcement action demonstrates that data protection authorities will penalize companies for failing to implement basic privacy-by-default principles, even when their business model does not primarily rely on exploiting personal data. The case highlights that seemingly minor interface design choices, such as how a close button functions, can constitute significant privacy violations when they lead users to unknowingly share personal information. CNIL considered Discord's limited reliance on personal data exploitation as a mitigating factor in determining the penalty amount.

What You Should Do

Discord users should update their passwords to meet the new eight-character requirement with mixed character types if they have not been automatically prompted to do so. Users should review their Discord settings to ensure the application behaves as expected when closing the window, particularly if they use voice channels. French users with long-inactive accounts should be aware that Discord is now deleting accounts after two years of inactivity under its updated data retention policy.

AI-Assisted

Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.

Sources

Related Events