Yahoo Hit with €10M GDPR Fine for Infringing Cookie Consent Rules
The French Data Protection Authority (CNIL) has imposed a €10 million fine on YAHOO EMEA LIMITED for its non-compliance with cookie consent regulations on its “Yahoo.com” website and “Yahoo! Mail” service. The CNIL’s investigation, which stemmed from 27 user complaints, revealed that YAHOO EMEA LIMITED did not honor users’ refusal of cookies and made it challenging for users to withdraw consent. During an October 2020 investigation, the CNIL discovered that YAHOO EMEA LIMITED deposited approximately twenty advertising cookies without explicit user consent, a clear violation of Article 82 of the French Data Protection Act.
Furthermore, the CNIL found that YAHOO EMEA LIMITED was discouraging users from withdrawing their consent by threatening the loss of access to their “Yahoo! Mail” service, a tactic deemed as undermining the freedom of consent. The CNIL stressed that consent must be given freely, without detrimental consequences for the user. The authority highlighted the personal significance of an email address, which becomes intertwined with one’s private life, making it difficult to replace with similar services.
The CNIL has the jurisdiction to enforce regulations and impart sanctions related to cookies on Internet user terminals located in France. The GDPR’s “one-stop shop” mechanism does not apply to cookie usage, as it falls under the “ePrivacy” Directive, embodied in Article 82 of the French Data Protection Act. The CNIL also claimed territorial jurisdiction as the cookies are linked to the activities of YAHOO FRANCE, the French establishment of YAHOO EMEA LIMITED.
In conclusion, this fine serves as a crucial reminder for companies to adhere strictly to data protection laws, particularly regarding cookies and user consent. Companies operating in the EU must ensure transparent consent mechanisms and respect users’ choices to avoid significant penalties.
