The French data protection authority CNIL carried out an online inspection of the Discord mobile application and discord.com platform on 17 November 2020. On 17 November 2022, CNIL announced, that it had issued, on 10 November 2022, a decision, that Discord Inc, a company based in the United States, had failed to comply with several obligations under the General Data Protection Regulation (GDPR).
Lack of a written data retention policy
During the investigation procedure, Discord stated that it did not have a written data retention policy. The CNIL investigation confirmed that there were 2,474,000 French user accounts in the company's database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. This violates Article 5(1)(e) of the GDPR.
However, the company has complied with this obligation under the GDPR during the investigation procedure. Now it has a written data retention policy, which involves deleting user accounts after two years of inactivity.
Failure to comply with the obligation to provide information
Discord did not provide information regarding data retention periods. Actually, there were no specific criteria for determining them. This violates Article 13 of the GDPR.
The company has also complied with this obligation during the investigation procedure.
Failure to inform users of voice channel connections and information transmissions to third parties
In the Discord application, clicking on the close icon does not log out users. This action actually just put the application in the background, while users stayed logged into the voice room and were being heard by other users in the voice room when they thought they had left.
According to CNIL, Discord should specifically inform users that their speech is still being heard by others.
However, in Microsoft Windows, clicking on the close icon would exit the application. In addition, during the investigation procedure, the company set up a pop-up window to alert logged users, that the mobile Discord application is still running and the user can be heard by others, and to inform users that this setting can be changed.
Accepting a weak password
When creating a new account, a password of six characters including letters and numbers was accepted. CNIL concluded that the password management policy was not strong enough and did not ensure the security of users' personal data. This violates Article 32 of the GDPR.
However, the company took action during the investigation procedure to secure user accounts. It now requires users to set a stronger password of at least eight characters, including at least three character types, and to solve the captcha after ten unsuccessful login attempts.
Failure to carry out a data protection impact assessment
Discord considered that it was not necessary to carry out a data protection impact assessment. This violates Article 35 of the GDPR. CNIL considered that it should have carried out such an impact assessment since its service could be accessed by minors and by a large number of users.
During the investigation procedure, the company carried out two impact assessments for its processing related to its services, which concluded that the processing would not produce a high risk to individuals' rights and freedoms.
Based on the investigations' findings, CNIL considered that the company had failed to comply with the GDPR for violations of Articles 5(1)(e ), 13, 25(2), 32, and 35. CNIL issued a fine of 800,000 euros on the company Discord Inc., which was made public.
The amount of the fine was based on the breaches identified and the number of people affected. However, CNIL took into account the company's efforts throughout the investigation procedure to reach compliance and the fact that the GDPR regulation breaches were unintentional, and not intended for the exploitation of personal data.
Read the full CNIL decision here (in French).
Frequently Asked Questions
Why did Discord get fined?
Does Discord really delete your data?
Discord states that they retain personal information for as long as they have an active Discord account. On 10 November 2022, the CNIL investigation revealed that there were 2,5 million French user accounts that had not been used for more than three years. Now it has a written data retention policy, which involves deleting user accounts after two years of inactivity.
Can you get personal details from Discord?
According to the General Data Protection Regulation (GDPR), users, based in the European Union, can request a copy of their personal data collected. Go to User Settings -> Privacy and Safety, and click the "Request all of my Data" button. This button could be found on Desktop App, Browser, or Mobile App.