Discord fined for failing to secure personal data

France's privacy watchdog fined the social platform 800,000 euros for failing to secure personal data and failure to define and respect the data retention period.

Discord, a voice-over IP and instant messaging service, failed to comply with several obligations under the General Data Protection Regulation (GDPR).

French data protection authority (CNIL) found that Discord did not have a written retention policy. There were nearly 2.5 million French users in the Discord database that had not been used for over three years. Discord is now committed to deleting the accounts after two years of inactivity.

Discord was also warned about its password policy. At the time of investigation, the platform accepted a six-character password with only letters and numbers. CNIL thought it was not sufficiently strong to ensure security. Discord now requires longer and more complicated passwords.

CNIL also warned that users would still stay logged into the voice room even after closing the Discord application window. In Microsoft Windows, closing the application usually means exiting it.

"Discord's behavior is different and may lead to users being heard by other members in the voice room when they thought they had left."

Discord set up a pop-up window to alert people that the application might still be running after closing the window for the first time.