French data protection authority imposed €10 million fine against Yahoo!
CNIL fined Yahoo €10 million for privacy breaches, citing failure to respect user choices on cookies and lack of transparent withdrawal process. Investigations revealed non-compliance and advertising cookies without explicit consent.
The French Data Protection Authority (CNIL) imposed a €10 million fine against Yahoo! on 29 December 2023 for failing to comply with users’ privacy and consent regarding cookies. Namely, CNIL found that Yahoo did not respect the choices made by internet users who refused cookies on its “Yahoo.com” website. Additionally, CNIL found that Yahoo did not provide an easy and transparent process for users to withdraw their consent to using cookies in the Yahoo! Mail service.
CNIL initiated two investigations in October 2020 and June 2021 after receiving 27 complaints against Yahoo regarding its cookie policy. During the first investigation in October 2020, it was found that around 20 cookies designed for advertising purposes were placed on the user’s device even without explicit consent. When users wished for their consent to be withdrawn, the company informed them that they would lose access to the messaging service offered by the company. While linking the use of the service to the registration of cookies is not illegal, in this case, Yahoo did not provide any alternative other than losing access to messaging services.
In imposing the fine, CNIL stated that it has jurisdiction to investigate and penalize actions related to cookies in France. The specific legal framework for cookies falls under the “ePrivacy” Directive, and the CNIL’s jurisdiction is justified both in terms of material jurisdiction and territorial jurisdiction under the French Data Protection Act.
Why does it matter?
Solving the ‘cookie fatigue’ issue was the European Commission’s plan in 2023 after issuing the draft guidelines to combat dark patterns and urge digital advertisers to simplify consent requests. In December 2023, the European Data Protection Board (EDPB) welcomed this initiative and stressed the need for well-informed and deliberate consent related to cookies in the EU. Therefore, we could consider this the first step in diving into ‘stricter’ enforcement rules in the EU in 2024 regarding cookie policy.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.