Discord—French data authority CNIL fines Discord 800,000 euros for GDPR violations
In November 2022, the French data protection authority CNIL fined Discord Inc. 800,000 euros for multiple GDPR violations. An investigation found over 2.4 million French accounts inactive for at least three years and 58,000 inactive for over five years, with no written data retention policy. Discord also accepted weak six-character passwords, failed to conduct a data protection impact assessment despite processing data of minors, and did not adequately inform users about data retention periods. Discord subsequently implemented remedial measures including a two-year retention policy and stronger password requirements.
Scoring Impact
| Topic | Direction | Relevance | Contribution |
|---|---|---|---|
| Data Security | -against | secondary | -0.50 |
| User Privacy | -against | primary | -1.00 |
| Overall incident score = | -0.332 | ||
Score = avg(topic contributions) × significance (high ×1.5) × confidence (0.59)× agency (negligent ×0.5)
Evidence (1 signal)
CNIL official decision fining Discord 800,000 euros for five GDPR violations
The French data protection authority CNIL fined Discord Inc. 800,000 euros for failing to comply with five GDPR obligations: no data retention policy (2.4M inactive accounts retained), incomplete information about retention periods, weak six-character password requirements, failure to provide data protection by default (app staying active after closing window), and failure to conduct a required data protection impact assessment for a service used by minors.