General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance

French CNIL Imposes Fine of 10 Million Euros on Yahoo

Company Fined for Dropping Advertising Cookies Without Consent
French CNIL Imposes Fine of 10 Million Euros on Yahoo
Yahoo will pay 10 million euros to the French government. (Image: Shutterstock)

The French data regulator imposed a fine of 10 million euros on Yahoo after determining that the company's advertising cookie policy had violated the country's privacy regulations.

See Also: How Enterprise Browsers Enhance Security and Efficiency

The National Commission on Informatics and Liberty - known as CNIL - received 27 complaints from French citizens about Yahoo cookies and web activity trackers placed on their devices while they had been using Yahoo.com and Yahoo Mail.

The complainants alleged that Yahoo's cookie policies failed to let them withdraw consent for advertising cookies without giving up access to Yahoo websites altogether. That violates the French Data Protection Act, which requires that consumers be allowed to freely withdraw consent, CNIL said. Conditioning withdrawal on giving up Yahoo altogether doesn't give consumers an opportunity to freely withdraw, it added in a statement.

The French regulator launched an investigation in 2021 and found that Yahoo had deposited at least 20 advertising cookies without obtaining adequate consent. More than 5 million consumers were affected over the course of 21 months, CNIL said, calling the company's behavior a "serious infringement of privacy" under French law.

Yahoo did not immediately respond to a request for comment. Following the investigation, the company has reversed the cookie policy in question and closely worked with the French regulator to identify and mitigate the privacy violation, CNIL said.

The issue of user consent under the General Data Protection Regulation has turned into a multibillion-dollar question for American tech companies.

The French regulator in June last year fined advertising tech company Criteo 40 million euros under the European General Data Protection Regulation for its cookie practices. CNIL said the agency had illegally used its customer's browser activity for behavioral ads. Before that, Microsoft Ireland revised its cookie policy for the Bing search engine in France after it had received a reprimand from the country's data protection authority (see: Microsoft Revises Bing Cookie Policy in France).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.