French CNIL Imposes Fine of 10 Million Euros on Yahoo

The French data regulator imposed a fine of 10 million euros on Yahoo after determining that the company’s advertising cookie policy had violated the country’s privacy regulations.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The National Commission on Informatics and Liberty – known as CNIL – received 27 complaints from French citizens about Yahoo cookies and web activity trackers placed on their devices while they had been using Yahoo.com and Yahoo Mail.

The complainants alleged that Yahoo’s cookie policies failed to let them withdraw consent for advertising cookies without giving up access to Yahoo websites altogether. That violates the French Data Protection Act, which requires that consumers be allowed to freely withdraw consent, CNIL said. Conditioning withdrawal on giving up Yahoo altogether doesn’t give consumers an opportunity to freely withdraw, it added in a statement.

The French regulator launched an investigation in 2021 and found that Yahoo had deposited at least 20 advertising cookies without obtaining adequate consent. More than 5 million consumers were affected over the course of 21 months, CNIL said, calling the company’s behavior a “serious infringement of privacy” under French law.

Yahoo did not immediately respond to a request for comment. Following the investigation, the company has reversed the cookie policy in question and closely worked with the French regulator to identify and mitigate the privacy violation, CNIL said.

The issue of user consent under the General Data Protection Regulation has turned into a multibillion-dollar question for American tech companies.

The French regulator in June last year fined advertising tech company Criteo 40 million euros under the European General Data Protection Regulation for its cookie practices. CNIL said the agency had illegally used its customer’s browser activity for behavioral ads. Before that, Microsoft Ireland revised its cookie policy for the Bing search engine in France after it had received a reprimand from the country’s data protection authority (see: Microsoft Revises Bing Cookie Policy in France).