Discord Lost $830,000 Because of Its Crooked Data Protection Policy

Scemer Jr. -

Discord was fined for not keeping up its proper data protection practices and compliance. Here is everything you need to know about it.

On 10th November 2022, Discord  got fined $830,000 by the CNIL for failing to comply with several Obligations of the GDPR. This has been a dreadful amount equivalent to the virtual commotion that happened.
Thumbnail by Roonie

About GDPR

The GDPR stands for General Data Protection Regulation its main function is to ensure data protection and privacy in the European Union and the European Economic Area.

Image from snel.com

The GDPR is a crucial part of EU privacy legislation and human rights law, particularly Article 8 of the European Union's Charter of Fundamental Rights.

About the CNIL

CNIL stands for Commission Nationale Informatique & Libertés, an independent French administrative regulatory body, focused on ensuring the data privacy law is applied to collecting, storing, and using personal data.

Getting Discord Caught

The CNIL declared that the Company failed to meet the requirements with several obligations under the GDPR (General Data Protection Regulation). After the fine was imposed, it was made public gradually on the internet. Several issues were identified that left the CNIL unanswered by Discord INC. which made them decide the fine.

The issues have been elaborated on in a simple manner in this article. Let us take a closer look.

Lack of Explanation for the missing of Data Retention Policy

The Company confessed that it did not have any data retention policy that was penned. The CNIL found that the that there were

  • 2,474,000 French user accounts in Discord that had not been used for more than three years
  • 58,000 accounts that had not been used for more than five years.

After this, the company had written a data retention policy that mentions the deleting of Discord accounts after 2 years of inactivity.

No abiding by the responsibility to provide information

The information given by Discord based on the data retention periods was left incomplete. However, the company agreed to abide by during the investigation

Failure to ensure data protection by default

For example, a user is said to be in a voice channel but closes the Discord tab and assumes the application has been closed. Unfortunately, your privacy just got a wave of disturbance because the application still runs in the background and stays in the voice chat connected. Some of you might have noticed it but would have ignored this.

This will be a problem if you speak something personal that might be heard by others which you definitely won't want.

However, the company decided to set up a pop-up window to get people notified that they are connected to a voice chat when the window is closed for the first time, and this can be changed by the user in the settings

Unsatisfying security for private data

When a user creates a Discord account, the application allows the user to create a 6-digit week password consisting of letters and numbers.

According to the CNIL, the restricted committee considered that Discord's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.

The company decided to solve this issue by implementing an 8-digit password minimum limit with at least 3 of the 4 character types (lower case, upper case, numbers, and special characters) and if 10 of the attempts failed then it requires users to solve a Captcha before proceeding.

Didn't carry out a data protection impact assessment

The company considered that carrying out a data protection impact assessment was unnecessary. It was told that the company must have done an impact analysis and given the volume of data processed by the company and about the usage of the application by minors

Proof of Violated Acts

Made by the CNIL
Article 5 of the GDPR (principles relating to data processing)
Article 13 of the GDPR (duty to inform data subjects)
Article 25 of the GDPR (data protection by default)
Article 32 of the GDPR (obligation to ensure data security)
Article 35 of the GDPR (obligation to carry out an impact analysis)

CNIL Official Site

CNIL |
Retourner à l’accueil CNIL.FR

Should you stop using Discord?

Certainly not, our mission is not to scare users with our Discord articles. All these are made for educational and information purposes only. The issues have been solved and fixed by Discord after this painstaking investigation by the CNIL.

That's all for today, hope you enjoyed today's article. Make sure to join our official Discord server to discuss further on this topic or suggest new articles!

Like what you're reading?

We do this everyday. Unlock exclusive benefits, 4K wallpapers, and more. Become a member for the price of a coffee.

Join Membership

Have you had data privacy issues with Discord?

Well its better to fix a broken system than pay $830,000 right? Let's discuss further on this topic on our official Discord server.

Say hi