Executive Summary
CNIL, the French data protection authority, recently fined Yahoo! €10 million. This penalty addresses Yahoo’s violation of data protection laws.
Yahoo! faced criticism for depositing cookies on user devices without obtaining proper consent. Furthermore, the company made it challenging for users to withdraw their consent, threatening adverse consequences.
Notably, a significant factor in the calculation of the large fine was that this issue impacted a substantial number of users, specifically around 5 million unique visitors.
Findings
The investigation by CNIL unveiled Yahoo!’s significant data protection violations.
Yahoo! had placed at least 20 cookies on user devices without the users’ consent. This issue persisted even though an option to manage settings is available. 26 cookies, including those for advertising, were present without proper authorisation.
Moreover, users encountered discouragement when they attempted to withdraw their consent. For instance, they were warned of losing access to services like Yahoo! mail. CNIL highlighted that consent should be given freely and that users should not face penalties for withdrawing consent.
Outcome
CNIL‘s response to Yahoo’s data protection violation was firm, resulting in a €10 million fine.
Recent CNIL Penalty on NS Cards France
In another noteworthy case in France from January 11, 2024, CNIL fined NS Cards France €105,000.
The company violated the General Data Protection Regulation (GDPR) through several actions:
- Retaining personal data for an excessive duration,
- Not informing data subjects adequately,
- Implementing weak password security measures,
- Depositing cookies without proper consent, similar to Yahoo!
These violations led to the imposition of a significant penalty on NS Cards France.
