On Thursday, the French data watchdog, CNIL, announced a fine of 10 million euros ($10.86 million) on U.S. web services provider Yahoo due to deficiencies in its cookie policy.
The regulatory body accused Yahoo.com of neglecting the preferences of internet users who declined cookies on its primary website. Additionally, Yahoo was criticized for not enabling users of its email client to freely revoke their consent to cookies.

The investigation follows receipt of 27 complaints from Yahoo customers on the failure to take into account the refusal of cookies and the obstacles encountered in withdrawing consent to the deposit of cookies. In October 2020 and June 2021, the CNIL carried out several online investigations on the Yahoo.com website and the Yahoo! Mail messaging service.

CNIL’s restricted committee, responsible for sanctions, determined that Yahoo EMEA failed to adhere to the obligations outlined in Article 82 of the French Data Protection Act.

The committee, taking into account findings from its investigations, noted that the company violated user choices regarding cookies and implemented measures discouraging users from withdrawing their consent to cookie storage.

The CNIL’s October 2020 investigation exposed a significant breach where, despite the absence of explicit consent, approximately twenty cookies for advertising purposes were deposited on the user’s terminal when visiting the Yahoo.com site. The restricted committee concluded that Yahoo EMEA LIMITED failed to meet its obligations, emphasizing that cookies for advertising purposes should only be placed with explicit consent.

Furthermore, the committee uncovered that users of the Yahoo! Mail messaging service faced consequences when attempting to withdraw their consent for cookie storage. The company warned users that discontinuing their consent would result in losing access to services offered by the company and their messaging service.

While linking service usage to non-essential cookie registration is not inherently illegal, the committee highlighted the importance of freely given consent. It stated that users should have alternatives if they choose to refuse or withdraw consent without facing harm. However, Yahoo EMEA failed to provide any alternative, leaving users with no option but to forgo the use of their messaging service.

Yahoo EMEA, the Ireland-based European subsidiary formally subjected to the fine, is reviewing the decision to determine the most appropriate course of action, Reuters news report said.

The CNIL’s investigation revealed a specific violation involving approximately 20 cookies, which are small data sets utilized for advertising purposes. These cookies were observed to persist on a user’s device when visiting yahoo.com, despite the absence of explicit consent from the user.

Regarding Yahoo!’s email client, the CNIL discovered a situation where users were unable to withdraw their consent for cookies without sacrificing access to the company’s messaging service. This raised concerns about the lack of a genuinely free and informed choice for users in managing their privacy preferences.

The fine underscores the regulatory scrutiny placed on companies regarding data protection and user privacy. Yahoo! is now compelled to address these issues and rectify its cookie policy to align with the CNIL’s standards. The outcome of this enforcement action highlights the importance of respecting user choices and ensuring transparent and user-friendly mechanisms for managing consent in the digital landscape.