Yahoo EMEA Limited – €10,000,000 Fine (France, 2023)

Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. The first investigation consisted of two scenarios: during a first scenario, the CNIL found that at least 20 cookies for advertising purposes had been placed on their terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. During a second scenario, the CNIL browsed on "yahoo.com" in order to create a "Yahoo mail" account. As in the first scenario, the CNIL did not express consent to the deposit of cookies. During this investigation, they also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our pr