On January 18, 2024, the Commission nationale de l’informatique et des libertés (CNIL), the French agency responsible for the protection of personal data, announced the imposition of a € 10 million fine on Yahoo EMEA Limited for breaching Article 82 of the French data Protection Act, the Loi Informatique et Libertés. Yahoo EMEA Limited, based in Ireland, operates on French territory as Yahoo France. The company offers various internet services, including private email accounts and a search engine for browsing the World Wide Web.
The fine followed online investigations carried out by the CNIL in 2020 and 2021. The agency found that numerous advertising “cookies” – bits of data implanted on a computer that are used to identify individual computers and relay information back to the website operator — were placed on the devices of consumers who accessed the Yahoo.com site, without the consumers’ express consent. The CNIL also found that once consent to cookies had been given by users of Yahoo’s email service, Yahoo! Mail, the consent could not be withdrawn without the threatened loss of access to their messaging accounts.
The restricted committee of the CNIL concluded that by failing to obtain express consent for the cookies, and by failing to offer consumers an alternative means of access to Yahoo’s messaging services when consent was withdrawn, the company had breached its obligations under the French Data Protection Act. Article 82 of the Act, which governs the use of cookies and other tracking mechanisms, requires that users of electronic communications be informed, clearly and completely, of the reason for accessing the user’s information, the way the information will be used. The data cannot be accessed without the user’s consent unless it is strictly for purposes of enabling the electronic communication, or is necessary for the provision of the communication service requested by the user. Other provisions such as Article 7(3) of the Act protect the user’s right to withdraw consent to the placement of information on a personal device, and requires that withdrawal of consent be no more cumbersome than the grant thereof.
The CNIL rejected Yahoo’s jurisdictional and procedural defenses, and the restricted committee imposed a €10 fine, and publish its decision on the CNIL and LegiFrance sites. After an interval of two years, the company will not be identified by name on the CNIL or LegiFrance site in connection with the fine.