Yahoo is no longer the star of the Web that it was in the past. In France, the company has only a handful of employees since the last PSE in August 2023. This does not prevent the firm from being subject to privacy regulations.
Nothing prevents the CNIL, the French personal data policeman, from issuing a sanction against Yahoo. And this is precisely what the authority has just done by condemning Yahoo EMEA Limited.
You will take many cookies for the road
Because yes, the CNIL is “materially competent to control and sanction operations linked to cookies placed by companies on the terminals of Internet users located in France.” She does not fail to emphasize it.
It is not the GDPR single window mechanism that applies in the case between Yahoo and the CNIL, but the ePrivacy directive. Because it is for its non-compliant use of cookies that the company is fined 10 million euros.
If Yahoo hoped to escape the ax for skills stories, it failed. “The use of cookies is carried out within the “context of the activities” of the company YAHOO FRANCE which constitutes the “establishment” on the French territory of the company YAHOO EMEA LIMITED”, ruled the restricted training.
But what are the grievances at the origin of this indictment of competence? The freedoms – irony since these violate the Data Protection Act – taken by the firm in terms of the use of cookies and consent.
No advertising cookies without explicit consent
Illustration with the deposit of cookies for visitors to the Yahoo.com site. Certainly, the online service did display the banner required to obtain consent. During the inspection in October 2020, Internet users could object.
At least in theory since even in the absence of any consent, French visitors inherited around “twenty cookies pursuing advertising purposes.” Whether they liked it or not, these trackers were still placed on their terminals.
Yahoo thus violates article 82 of the Data Protection Act. Indeed, “cookies for advertising purposes can only be placed when explicit consent has been given”, recalls the authority.
On Yahoo Mail, the practice varies a little, but the spirit remains the same. The user’s hand was forced. Impossible to withdraw your consent otherwise you will no longer be able to access the services offered by the company and therefore lose access to your email.
No cookies? So no more messaging
Certainly, linking the use of a service to the registration of cookies not strictly necessary for the service provided is not in itself illegal. On one condition however. Consent must be free, i.e. not cause harm to the user.
With the only alternative being to give up the use of electronic messaging, it is difficult to consider the consent collected by Yahoo as free. Worse, an electronic mail address constitutes an element of the private life of its user.
“Thus, as he uses his email address, the user can no longer replace it with any similar service as easily as he would have done initially,” analyzes the restricted training of the CNIL. The consequence: it is a financial sanction, increased due to aggravating factors.
“To determine the amount of the fine, the restricted training took into account that the company did not respect the choice of Internet users in terms of cookies and that it put in place measures to dissuade them from withdrawing their consent to deposit cookies.”