Ireland-led GDPR probe of Yahoo’s cookie banners moves to draft decision review

A multi-year investigation into TechCrunch’s parent entity Yahoo — looking at compliance with key transparency requirements of the European Union’s General Data Protection Regulation (GDPR), including in relation to cookie banners displayed on its media properties — has taken a step forward today after Ireland’s Data Protection Commission (DPC) announced that it has submitted a draft decision to other EU data protection agencies for review.

In a statement on the development, deputy commissioner Graham Doyle said:

On October 27, 2022, the DPC submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities across the EU. The inquiry examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the Article 60 GDPR process, Concerned Supervisory Authorities have until 24 November, 2022 to send any ‘relevant and reasoned objections’ to the DPC’s draft decision.

Following its usual procedure, the DPC has not released any details on the substance of its draft decision. In any case, the outcome is not final until other interested DPAs have weighed in — so nothing has been concluded yet.

The inquiry concerns Yahoo’s processing of European users’ data and is focused on its compliance with Articles 5(1)(a), 12, 13 and 14 of the GDPR — so the DPAs will be considering whether Yahoo’s business has been meeting GDPR requirements for personal data processing to be lawful, fair and transparent; and also whether it’s been properly communicating to users how their data is being processed.

If other DPAs agree with Ireland’s draft a final decision could be issued fairly soon — maybe even in a couple of months.

However if objections are raised the process may need to go through a dispute resolution mechanism in the GDPR — which could spin things out for many more months. (A draft decision on Instagram’s processing of kids’ data went to Article 60 in December 2021 but a final decision (and hefty fine in that case) took until September 2022 to land after other DPAs raised objections to Ireland’s draft, for example.)

The DPC’s investigation into Yahoo kicked off in August, 2019, when the entity was known as Verizon Media (neé Oath) and owed by U.S. carrier Verizon. The latter went on to sell the division, in May 2021, to private equity giant, Apollo Global Management — which plumped for a retro rebranding (to Yahoo). So it’s the PE giant that’s been left holding the regulatory exposure here.

Speaking to the Irish Independent back in 2019, the DPC’s commissioner, Helen Dixon, said the investigation focused on transparency issues related to publications operated by the company and was opened in response to multiple complaints from individuals about Yahoo media sites — including over cookie banners she said sometimes “effectively” offer no choice to users — beyond an ‘option’ to click “okay”. 

Yahoo owns a string of Yahoo-branded media properties, including Yahoo News, Yahoo Finance, Yahoo Sports etc, tech media sites like Engadget (and this Internet website) — as well as, at the time the DPC opened its probe, the HuffPo and tumblr — which the company linked to its online advertising business via the use of tracking cookies dropped on visitors’ devices. Hence these cookie consent banners popping up with information about ad ‘partners’ and purposes for processing.

Thing is, under the GDPR, in order for consent to be a valid legal basis to process people’s data it must be informed, specific and freely given — so a cookie banner that lacks an option for users to deny ad tracking is going to attract complaints that it is not offering the required free choice.

Verizon Media does appear to have made a notable change to the design of its cookie banner (circa spring 2021) — so subsequent to the DPC opening its investigation — which tweaked the implementation of the consent flow to include a reject button.

A current version of a Yahoo cookie banner (shown below being displayed on a Yahoo website) can be seen including two ‘reject all’ options:

Yahoo cookie banner

Screengrab: Natasha Lomas/TechCrunch

On the less positive side, this cookie banner tries to claim a “legitimate interest” (i.e. non-consent based) ground for processing people’s data for ad targeting (and defaults those toggles to ‘on’) — but you can at least deny this by selecting “reject all” under the LI field.

The current Yahoo cookie banner implementation — at least on the version we saw — also relegates the reject button to the second level of the menu — rather than displaying it at the top level, alongside the “accept all” option displayed there.

This means users have to click through “manage settings” before they can even see a reject all option (while this second level menu is long and requires scrolling) — so the tweaked design may raise fresh objections from regulators since it does not offer an equally easy way to reject tracking as allow it.

Still, it remains to be seen what the EU DPAs will decide on the Yahoo complaint as a whole. Since the complaint predates this implementation of the cookie banner the inquiry may not consider the current design as closely as looking at the old one which netted Yahoo all these complaints. (Although DPAs could also take it into consideration in any order to the company to amend the design of the banner in a final decision.)

One thing is clear: Cookie consents for ad tracking are getting increasing attention from EU regulators.

Early this year, France’s CNIL hit Google and Facebook with substantial fines related to dark patterns on cookie banners (under the ePrivacy Directive, which — unlike the GDPR — does not require cross-border complaints to be funnelled to a lead DPA, as has happened here with the Yahoo complaint).

A few months later Google updated its cookie banner in Europe to include a top-level reject all button.

Last year, the UK’s data protection watchdog also published an opinion urging the ad tracking industry to prepare to reform and retool their adtech to provide users with non-profiling and other pro-privacy choices — signalling that it expects a major change of direction away from mass surveillance of web users by design and default.

Since last year, European privacy campaign group, noyb, has also been running a major GDPR enforcement campaign aimed at encouraging scores of websites to reform non-compliant cookie banners by sending complaints directly to them but also providing a free analysis of the tweaks required to bring their cookie pop-ups into line with the GDPR. Only those sites that resist the necessary changes will face a complaint about them being filed by noyb with a relevant DPA.

Earlier this year it released a batch of ‘before and after’ examples of how a number of well known retail sites have adapted their cookie banners in response to its pro-active campaign — with the addition of a top-level “reject all” button being a key compliance action taken by many of noyb’s reformed targets.

The not-for-profit has also filed a number of complaints about cookie banner reform refuseniks with regulators — 226 had been lodged with 18 data protection authorities as of August — although enforcements remain pending as procedures grind on.