On December 29, 2023, the French Data Protection Authority (CNIL) fined Yahoo EMEA Limited €10 million for disregarding the choices of internet users who refused cookies on its “Yahoo.com” website and for preventing users of its “Yahoo! Mail” messaging service from freely withdrawing their consent to cookies.

CNIL established that when users visited the “Yahoo.com” site, the cookie banner featured multiple buttons to obtain consent for cookie deposition. However, despite the absence of explicit consent, about twenty advertising cookies were still deposited on the user’s device.

Moreover, CNIL discovered that, as users of the “Yahoo! Mail” messaging service attempted to revoke their cookie consent, the company informed them that doing so would lead to a loss of access, including to the messaging service.

CNIL emphasized that linking non-essential cookies to a service is acceptable as long as consent is freely given, and there is no harm to the user for refusing or withdrawing consent. In this instance, however, Yahoo failed to provide an alternative for users to withdraw their consent, forcing them to forgo the use of the messaging service.

Substantial fines entail significant financial risks for companies. Beyond the financial aspect, reputational risks often accompany such penalties, which can be even more severe. Recognizing these dual challenges, the following recommendations can be a way to proactively navigate and mitigate risks tied to your organization’s cookie practices, ensuring both fiscal prudence and the preservation of the company’s good reputation. The CNIL’s decision involved European data privacy law issues, which don’t apply to every organization. But even absent a regulatory mandate, these recommendations should be considered best practices:

  1. Receive correct user consent for all non-essential cookies.

There are two types of cookies – essential and nonessential. Essential cookies are critical for fundamental functions like user authentication, session management, language preferences, and overall security measures and can be set without explicit user consent. All other cookies fall into the non-essential category. This includes cookies utilized for analytics, advertising, or preferences. It is imperative to set these non-essential cookies only after obtaining clear and informed consent from the user.

In addition to obtaining consent for non-essential cookies, it is important to allow users to select the cookie categories to which they’re consenting. This customization enables individuals to align their privacy preferences with personal comfort levels and specific interests.

  1. Consent should be free and regularly renewed

Users should have the autonomy to make choices without undue pressure. Additionally, withdrawing consent should be as simple as giving it, emphasizing a user-centric approach to data control. However, withdrawing consent cannot result in a denial of services unrelated to non-essential cookies.

Keep in mind that consent should be periodically renewed. According to the European Union ePrivacy Directive, this renewal should occur at least once a year.  However, specific data protection authorities (DPAs) may set different timelines. The French CNIL recommends, for instance, renewing consent every six months.

  1. Do not use cookies for purposes not covered by consent.

Once user consent is obtained for a specific purpose (such as analytics or personalized advertising), you must not repurpose these cookies for unrelated functions.

  1. Remember the retention period for cookies.

The retention period for cookies typically cannot exceed what is necessary for the purpose for which the cookies are used. However, some DPAs specify a particular duration. For example, in France, Luxembourg, and the Netherlands, this period may range from 6 to 13 months from the moment cookies are set (and a user’s consent is provided).

  1. Add a privacy or cookie policy to disclose details about cookies and how to manage them.

Implementing a privacy or cookie policy is essential to transparently communicate information about cookies and their management. This practice serves as a valuable resource for users, offering insights into the types of cookies used, their specific purposes, and guidance on how individuals can control or opt out of cookie tracking.

A well-crafted policy not only enhances user understanding but also demonstrates a commitment to privacy, fostering trust and compliance with data protection regulations.

  1. Do not use dark patterns:

Dark patterns are tricks used in designs to mislead users or persuade them to do things they don’t want to do. The following are a few examples of dark patterns to avoid:

  • The “Accept” button is more prominent than the “Reject” button.
  • Consent for non-essential cookies is pre-selected by default.
  • The text on the banner is unreadable due to a pale color and small line spacing.

Utilizing dark patterns not only undermines user autonomy but also violates principles of transparency and informed choice. This can erode users’ trust and potentially lead to non-compliance with data protection regulations.

Conclusion

The CNIL decision against Yahoo EMEA Limited highlights the need for robust data privacy practices. It provided recommendations for proactive measures to navigate and mitigate risks and signify a commitment to preserving user trust and a company’s reputation.

Recognizing the dynamic nature of data privacy, organizations need to remain adaptable. When questions arise about cookie usage, seeking guidance from data privacy specialists ensures thorough compliance with evolving standards.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.