In a recent development, Yahoo! has been slapped with a €10 million fine by the French data protection regulator, CNIL, over consent violations related to cookies. The CNIL’s investigation, triggered by 27 complaints, revealed significant shortcomings in Yahoo!’s approach to obtaining user consent for cookies. This incident serves as a stark reminder for businesses, particularly those in the B2C sector, to prioritise compliance with cookie regulations.
Details of the Fine
Yahoo! provides various web services, including a search engine and an email service. The CNIL received complaints highlighting issues related to refusing cookies and challenges faced when attempting to withdraw consent. Upon conducting a thorough investigation, the CNIL found the following key points:
- Cookie Banner Failures: When users visited the “Yahoo.com” site, the cookie banner displayed multiple buttons aimed at obtaining consent for cookie placement. Despite the absence of explicit consent, the CNIL discovered that approximately twenty advertising cookies were deposited on the user’s device.
- Coercive Practices: Users of the “Yahoo! Mail” messaging service faced obstacles when attempting to withdraw their consent for cookies. Yahoo! informed them that withdrawing consent would result in losing access to the company’s services and their messaging service. The CNIL emphasised that linking service usage to non-essential cookies is acceptable only if consent is freely given, a condition that Yahoo! failed to meet in this case.
- Lack of Alternatives: The CNIL noted that while connecting service use to non-essential cookies is not inherently illegal, the company failed to provide an alternative for users wanting to withdraw consent. The only available option for users was to forgo the use of the messaging service, making the withdrawal of consent impractical and not freely exercised.
Despite only 27 complaints triggering the investigation, a seemingly small fraction of the customer base, Yahoo! faced a substantial €10 million fine. This serves as a clear indication of the stringent enforcement of cookie laws and the need for businesses to exercise caution in their B2C operations.
Action Steps for Businesses
In light of this development, it is imperative for businesses to ensure that their cookie compliance aligns with legal standards. If there is any uncertainty or if more information is required, it is advisable to seek professional guidance. The Yahoo! case underscores the importance of proactive measures to avoid legal consequences and maintain a robust data protection framework.
The Yahoo! €10 million fine highlights the growing emphasis on privacy and data protection regulations. B2C businesses, in particular, should take note of this case and prioritise compliance with cookie laws to safeguard both their customers and their bottom line. Stay informed, stay compliant, and seek guidance when needed to navigate the intricate landscape of data protection and privacy regulations.
If you wish to speak to a Data Protection Officer about your cookie consent processes, and benefit from a complimentary 30-minute consultation, please contact firstname.lastname@example.org
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.