Cookies: CNIL fined Yahoo! €10 million

18 January 2024

On 29 December 2023, the French Data Protection Authority (CNIL) fined YAHOO EMEA LIMITED €10 million for failing to respect the choice of Internet users who refused cookies on its "Yahoo.com" website and for not allowing users of its "Yahoo! Mail" messaging service to freely withdraw their consent to cookies.

Background information

YAHOO EMEA LIMITED publishes several web services such as a search engine and an e-mail service. The CNIL received 27 complaints reporting the failure to take into account the refusal of cookies and the obstacles encountered in withdrawing consent to the deposit of cookies. In October 2020 and June 2021, the CNIL carried out several online investigations on the Yahoo.com website and the Yahoo! Mail messaging service.

On the basis of the findings made during the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that YAHOO EMEA LIMITED had failed to comply with the obligations provided for in Article 82 of the French Data Protection Act.

In order to determine the amount of the fine, the restricted committee took into account the fact that the company did not respect the choice of Internet users regarding cookies and that it put in place measures to dissuade them from withdrawing their consent to the deposit of cookies.

Breaches punished

Cookies deposited without the user's consent

Firstly, during its October 2020 investigation, the CNIL noted that when a web user visited the "Yahoo.com" site, the cookie banner displayed gave access to a page containing many buttons designed to obtain consent for the deposit of cookies. However, the CNIL noted that despite the absence of any expressed consent, around twenty cookies for advertising purposes were  deposited on the Internet user's terminal anyway.

The restricted committee considered that YAHOO EMEA LIMITED had failed to fulfil its obligations under Article 82 of the French Data Protection Act, insofar as cookies for advertising purposes may only be placed where explicit consent has not been given.

An incentive not to withdraw consent

Then, the restricted committee noted that when users of the "Yahoo! Mail" messaging service wished to withdraw the consent they had given to the deposit of cookies, the company informed them that the consequences of their action would be that they would no longer be able to access the services offered by the company and that they would lose access to their messaging service.

The restricted committee pointed out that while linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, it is on condition that consent is freely given. This implies that refusing or withdrawing consent does not result in harm to the user. In this case, however, the company did not offer an alternative to users wishing to withdraw their consent: the only option available to the user was to give up the use of their messaging service.

The restricted committee considered that, in these circumstances, the withdrawal of consent could not be exercised freely.

The restricted committee emphasised that an email address was nevertheless an element of the private life of its user, insofar as it enabled him or her to exchange with other people, to develop his or her network and to archive important personal or professional conversations. As a result, as users use their email address, they can no longer replace it with any similar service as easily as they would have done initially.

Jurisdiction of the CNIL

The CNIL has material  jurisdiction to carry out investigations and sanction operations relating to cookies placed by companies on the terminals of Internet users located in France. The cooperation mechanism provided for by the GDPR ("one-stop shop" mechanism) is not intended to apply to these procedures insofar as operations relating to the use of cookies are covered by the "ePrivacy" Directive, transposed in Article 82 of the French Data Protection Act.

The restricted committee considered that the CNIL also has territorial jurisdiction pursuant to Article 3 of the French Data Protection Act, as the cookies are used in the "context of the activities" of YAHOO FRANCE, which is the "establishment" on French territory of YAHOO EMEA LIMITED.