YAHOO EMEA LIMITED – hereinafter referred to as YAHOO – publishes eponymous Yahoo! mailbox.
As part of this activity, it has implemented advertising cookies.
In order to ensure that users will accept them – a condition for setting cookies – YAHOO has subjected access to mailboxes to prior consent of these cookies.
In the absence of consent, Company informed users that they would no longer be able to access their mailboxes and – as a result – would lose use of their mailboxes.
In other words, users had choice between :
• Accept cookies & access their YAHOO ! MAIL mailbox
• Or Reject cookies & be automatically denied access to their YAHOO ! MAIL
After receiving several complaints, CNIL (Commission Nationale Informatique & Liberté) opened an investigation and investigated the matter between 2020 and 2022.
On 29 December 2023, CNIL condemned YAHOO for, among other legal grounds, having infringed users’ right to freely refuse the processing of their personal data via advertising cookies.
Here below is SBL’s legal update.
What are cookies?
A cookie is a small computer file stored by a server on a user’s terminal (computer, telephone, etc.) and associated with a web domain (i.e. in most cases with all the pages of a single website). This file is automatically sent back when subsequent actions are made with the same domain (CNIL definition).
Cookies have multiple purposes. For example, they can be used to register:
• customer ID for a merchant site,
• current contents of a shopping basket,
• language in which a web page is displayed.
Some uses of cookies do not require consent, such as cookies required for functionalities requested by the user (e.g. display language).
Other uses, however, such as advertising, require user’s prior consent.
Use of cookies and of other tracking devices is governed by the French Data Protection Act (Loi Informatique et Libertés) and the General Data Protection Regulation (RGPD). Consent is subject to specific provisions. Cookies for advertising purposes may only be placed where explicit consent has been given.
Consent must be free, specific, informed and unambiguous (articles 4 and 7 of the RGPD).
Article 7(3) of RGPD states in this respect that: The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.
In principle, a legal practice: conditioning use of a service to consent to cookies that are not strictly necessary for service provided
In practice, it is possible to make access to a site conditional on prior acceptance of advertising cookies.
If a user refuses to accept cookies, he or she is denied access to the site concerned, without being able to claim any damages. It is up to them, if they so wish, to visit another website that does not require such acceptance.
However, in this case, consequences for the holder of an email account who, by refusing cookies, was denied access to his or her email, raised a different issue.
CNIL analysed the facts from the angle of “consent”, a legal concept that is regularly in the news.
In this case, users could refuse cookies. However, consequences for them appeared serious: the impossibility of accessing their emails.
In this context, could their consent to cookies be considered free?
Question of harm arising from the consequences of refusing consent to data collection
In this case, YAHOO offered no alternative to users wishing to withdraw their consent.
Their only option was to stop using their email.
However, as CNIL has pointed out, an email address is an element of user’s private life, insofar as it enables them to communicate with other people, store important documents and maintain contact with their contacts.
As a result, as users come to use their email address, they can no longer replace it with a similar service as easily as they would have done initially.
Considering these factors and the harm to the user resulting from the refusal to consent to the installation of cookies by YAHOO, CNIL considered that withdrawal of consent could not be exercised freely in this case and, consequently, that YAHOO had breached its obligations in this respect.
It therefore imposed an administrative fine of ten million (10,000,000) euros on YAHOO EMEA LIMITED.
In response to questions about CNIL’s territorial jurisdiction, CNIL stated that it had territorial jurisdiction pursuant to article 3 of French Data Protection Act, since cookies were used in the “context of the activities” of YAHOO FRANCE, which is the “establishment” of YAHOO EMEA LIMITED on French territory.
***
This case is a reminder of a number of key points concerning personal data, including:
• CNIL’s jurisdiction, both material and territorial,
• CNIL’s powers of investigation and sanction,
• need for vigilance on the part of those responsible for processing personal data, particularly in terms of providing prior information about data collection, obtaining consent and respecting the right to withdraw consent.
It also introduces an important casuistic element to be taken into consideration: assessment, on a case-by-case basis, of the existence – or not – of prejudice suffered by the data subject if he or she refuses – or withdraws – his or her consent to the installation of unnecessary cookies.
***
Please feel free to contact us with any questions you may have:
Delphine Brunet-Stoclet
Marie André-Nivet
Léna Tordjman
Félix Bertrand
