Yahoo Slapped with 10M GDPR Fine for Crumbly Cookie Compliance

The French protection authority CNIL has fined Yahoo 10 million euros for not respecting users’ right to refuse “cookies” when using their services.

In a statement, the privacy watchdog accused Yahoo on Thursday of "failing to respect the choice of Internet users who refused cookies on its main website and allowing users of its e-mail client to freely withdraw their consent to cookies." 

It found that visitors to the main Yahoo.com site who clicked to reject cookies still ended up with around 20 digital trackers left on their devices, which were collecting small amounts of data for targeted advertising. 

“The CNIL noted that when a web user visited the "Yahoo.com" site, the cookie banner displayed gave access to a page containing many buttons designed to obtain consent for the deposit of cookies,” CNIL said in a statement. 

“However, the CNIL noted that despite the absence of any expressed consent, around twenty cookies for advertising purposes were deposited on the Internet user's terminal anyway.

As well as being unknowingly tracked by cookies, Yahoo Mail users who attempted to withdraw consent for cookies were also warned they would no longer have access to messaging or other Yahoo services. 

“When users of the "Yahoo! Mail" messaging service wished to withdraw the consent they had given to the deposit of cookies, the company informed them that the consequences of their action would be that they would no longer be able to access the services offered by the company and that they would lose access to their messaging service,” CNIL said in a statement. 

“The restricted committee pointed out that while linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, it is on condition that consent is freely given,” it added. 

GDPR Breach

Since the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018, tech companies have faced stricter rules on obtaining consent from their users about how their sensitive data is used. 

Organisations that fail to adhere to GDPR or that slip in the face of a data breach are liable for a €20 million or 4% global annual turnover fine. This hefty sum is keeping all organisations on their toes and prepared to hire the best in cyber and data security to ensure this does not happen.

The EU does not hesitate in dishing out large fines to tech companies that don’t comply. In May last year, the EU fined Meta €1.2 billion over data transfers from the EU to the US – the largest penalty ever to be imposed over a GDPR breach. 

In 2021, the Luxembourg National Commission for Data Protection (CNDP) also issued a fine of €746 million ($888 million) to Amazon. 

The fine was issued following a complaint filed by 10,000 people against Amazon in May 2018 through La Quadrature du Net, a French privacy rights group that promotes and defends fundamental freedoms in the digital world.

Cookie Crackdown

Right now, third-party cookies make it easy for companies to track users as movements on Chrome, allowing them to target specific users with ads tailored to their needs and interests. 

These cookies are blocked in Apple’s Safari and other browsers like Firefox, but not in Google Chrome, the browser of choice for the vast majority of the world. 

Google is set to cut cookies by the end of 2024 as part of its goal of creating a privacy sandbox. This will prevent websites from using cookies to track their users and will force them to use Google’s APIs, which will replace cookie functionality and let an advertiser know if a user saw its ad and then eventually bought the product or landed on the promoted page.

This would essentially attribute ads to pageviews and purchase impacts in Chrome, affecting all aspects of digital advertising from how budgets are divided between channels to which products ad tech vendors build.

Taking place on February 6-7 2024, CDAO UK brings together the UK’s most senior positions within data and analytics from a cross-industry setting for a combination of learning, networking and discussion around topics commonly faced by the community.

With a specific focus day included for Finance Services, as well as speakers across Governance, Manufacturing, Healthcare, Transportation and much more, hear insights that will maximise the value of your data and innovate the strategies used within your organisation.

Get your tickets today!