France’s DPA fines Yahoo €10 million for cookie breaches

France’s Data Protection Authority (CNIL) has fined YAHOO EMEA Ltd €10 million for failing to respect the choice of Internet users who refused cookies on its "" website.

Withdrawing consent resulted in the company informing the users that they would no longer be able to access its services and that they would lose access to their messaging service. The CNIL says that in these circumstances, the withdrawal of consent could not be exercised freely. Also, an email address is an element of the ‘private life’ of its user.

In addition, the CNIL noted that around twenty cookies for advertising purposes were deposited on the Internet user's terminal even when they had not provided explicit consent.

The decision of 29 December 2023, made public on 18 January 2024, stemmed from just 27 complaints to the DPA, and the subsequent 2020 investigation. But the CNIL has over the years been stressing cookie compliance. In 2020, it issued guidance on the use of analytics on websites and applications, explaining when organisations can benefit from an exemption of the consent requirement.

Recently, the European Commission issued a ‘cookie pledge’ as a response to concerns regarding the so-called “cookie fatigue” phenomenon. It is calling for a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. The European Data Protection Board has welcomed the initiative, but says that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or e-Privacy Directive.

The EU e-Privacy Regulation has still not been agreed, so the current EU e-Privacy Directive applies.