Yahoo is fined 10 million euros in France for cookie violations

The French privacy regulator CNIL has fined Yahoo 10 million euros because the company violated the GDPR in two ways with cookies. For example, cookies were placed without permission and email users could not simply withdraw permission.

CNIL says that Yahoo placed twenty advertising cookies on user devices when they navigated to the Yahoo.com site. Such cookies may only be placed if the user gives explicit permission for this, but according to CNIL, Yahoo also did this without that explicit permission. Yahoo did this at least in October 2020.

The other violation had to do with the Yahoo Mail service. This service required the placing of cookies, for which the company requested permission. However, users who later wanted to withdraw this consent could no longer use the email service. According to CNIL, Yahoo violated the law, because consent for such cookies must be freely given. “This implies that withdrawing this consent will not cause harm to the user.” Because users had no other alternative than no longer using the email service, according to the privacy regulator, there was no question of freely giving consent.

What plays a role in this is that, according to CNIL, an email address is ‘an element of a user’s private life’. An email address allows users to connect with others, strengthen a network, and archive important personal or business conversations. “So once people have created and used an email address, they cannot simply replace it with another service,” CNIL said.

The fine was imposed at the end of December, but has only now been announced. When determining the fine amount, CNIL says it took into account that users’ choice regarding the placement of cookies was not respected and that Yahoo had introduced measures to discourage users from withdrawing cookie consent.