CNIL Fines Yahoo! €10 Million for Cookie Breaches
The French Data Protection Authority (CNIL) imposed a €10 million fine on YAHOO EMEA LIMITED for breaches related to user consent regarding cookies on its "Yahoo.com" website and "Yahoo! Mail" messaging service.
On 29th December 2023, Yahoo EMEA Limited, responsible for various web services, including a search engine and email service, faced 27 complaints for the disregard for user cookie preferences and challenges in withdrawing consent. CNIL conducted investigations in October 2020 and June 2021, leading to findings of non-compliance with Article 82 of the French Data Protection Act.
Cookie Placement
In October 2020, during an inspection, the CNIL uncovered that when users visited the "Yahoo.com" site, the displayed cookies banner provided access to a page containing numerous buttons designed to obtain consent for cookie placement. Despite the absence of expressed consent, approximately twenty cookies, primarily for advertising purposes, were surreptitiously deposited on the user's device.
This blatant violation prompted the restricted panel to conclude that Yahoo EMEA Limited failed to fulfil its obligations under Article 82 of the Data Protection Act, emphasising that explicit consent is mandatory for cookies serving advertising purposes.
Withdrawing Consent
The restricted panel further observed a coercive practice when users of the "Yahoo! Mail" messaging service attempted to withdraw their consent for cookie placement. Yahoo EMEA Limited warned users that such an action would result in the loss of access to the company's services, including its messaging platform.
While linking service usage to cookie registration is permissible, it must be contingent upon freely given consent. In this instance, the absence of an alternative for users wishing to withdraw their consent meant that the only option provided was to forgo the use of their electronic messaging service.
Email Addresses
The restricted training emphasised the significance of an email address as an integral element of a user's private life. An email address facilitates communication with others, network development, and the archiving of important personal or professional conversations. Consequently, users, in the course of utilising their email addresses, find it challenging to switch to a similar service as seamlessly as they might have initially intended. This impacts users' ability to manage their personal and professional communications.
Free Exercise of Consent Withdrawal
The restricted panel highlighted that, given the circumstances, the withdrawal of consent could not be freely exercised by users. The lack of a viable alternative and the consequential loss of access to essential services, especially the electronic messaging platform, created an environment where users felt compelled to give their consent against their preferences.
Yahoo EMEA Limited's €10 million fine is a reminder to businesses about the importance of respecting user choices and ensuring transparent practices regarding cookies. The CNIL's decision highlights the need for companies to prioritise user privacy, especially in the context of evolving data protection regulations.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.