Ireland’s GDPR investigation into Yahoo’s cookie banners moves to review of draft decision • TechCrunch

A multi-year investigation of TechCrunch’s parent entity, Yahoo – looking at compliance with key European Union General Data Protection Regulation (GDPR) transparency requirements, including in relation to displayed cookie banners on its media properties – took a step forward today after Ireland’s Data Protection Commission (DPC) announced that it had submitted a draft decision to other data protection agencies in the EU for consideration.

In a development statement, Deputy Commissioner Graham Doyle said:

On October 27, 2022, the DPC submitted a draft decision as part of an investigation into Yahoo! EMEA Limited to other relevant supervisory authorities in the EU. The investigation examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the GDPR Article 60 process, the relevant supervisory authorities have until November 24, 2022 to send any “relevant and reasoned objections” to the DPC’s draft decision.

In accordance with its usual procedure, the DPC has not published any details on the substance of its draft decision. Either way, the outcome isn’t final until other interested DPAs weigh in – so nothing has been concluded yet.

The investigation concerns Yahoo‘s processing of European user data and focuses on its compliance with Articles 5(1)(a), 12, 13 and 14 of the GDPR. the processing of personal data must be lawful, fair and transparent; and also whether it has correctly communicated to users how their data is processed.

If other DPAs agree with Ireland’s draft, a final decision could be made fairly quickly – possibly even within months.

However, if objections are raised, the process may have to go through a dispute resolution mechanism in the GDPR, which could drag things out for many months. (A draft ruling on Instagram’s handling of children’s data went to Article 60 in December 2021, but a final ruling (and hefty fine in this case) took until September 2022 to land after d (other DPAs have raised objections to Ireland’s draft, for example.)

The DPC’s investigation into Yahoo began in August 2019, when the entity was known as Verizon Media (née Oath) and owned by US carrier Verizon. The latter then sold the division, in May 2021, to private equity giant, Apollo Global Management – ​​which opted for a retro rebrand (to Yahoo). So it’s the PE giant that has the regulatory exposure here.

Speaking to the Irish Independent in 2019, DPC Commissioner Helen Dixon said the inquiry had focused on transparency issues relating to publications operated by the company and had been initiated in response to multiple complaints from individuals about Yahoo media sites – including about cookie banners she sometimes says “effectively” gives users no choice – beyond an “option” to click “ok”.

Yahoo owns a slew of Yahoo-branded media properties, including Yahoo News, Yahoo Finance, Yahoo Sports, and more, tech media sites like Engadget (and this website) — as well as, at the time the DPC opened its survey, the HuffPo and tumblr – which the company linked to its online advertising business through the use of tracking cookies dropped on visitors’ devices. Therefore, these cookie consent banners appear with information about advertising “partners” and processing purposes.

The point is that, under the GDPR, for consent to be a valid legal basis for processing people’s data, it must be informed, specific and freely given. Thus, a cookie banner that does not have the ability for users to opt out of ad tracking will attract complaints. that it does not provide the required freedom of choice.

Verizon Media appears to have made a notable design change to its cookie banner (circa Spring 2021) – so after the DPC initiated the investigation – which changed the implementation of the consent flow to include a reject button.

A current version of a Yahoo cookie banner (shown below and displayed on a Yahoo website) can be seen, including two “discard all” options:

Screenshot: Natasha Lomas/TechCrunch

On the less positive side, this cookie banner tries to claim a “legitimate interest” (i.e. not based on consent) ground for processing people’s data for ad targeting (and enables these toggles default) – but you can at least deny this by selecting “reject all” under the LI field.

The current implementation of the Yahoo cookie banner – at least on the version we’ve seen – also relegates the dismiss button to the second level of the menu – rather than displaying it at the top level, next to the ” accept all” displayed there.

This means that users have to click on “manage settings” before they even see a dismiss option altogether (whereas that second level menu is long and requires scrolling) – so the changed design may raise further objections from on the part of regulators because it doesn’t offer an equally easy way to dismiss tracking as allow.

It remains to be seen what the EU DPAs will decide on Yahoo’s complaint as a whole. Since the complaint predates this implementation of the cookie banner, the investigation may not consider the current design as narrowly as the old one that brought Yahoo all these complaints. (Although DPAs may also take this into account in any order for the company to change the banner design in a final decision.)

One thing is clear: cookie consents for ad tracking are increasingly attracting the attention of EU regulators.

Earlier this year, the French CNIL imposed substantial fines on Google and Facebook related to dark patterns on cookie banners (under the ePrivacy Directive, which, unlike the GDPR, does not require cross-border complaints to be routed to a primary DPA, as happened here with the Yahoo complaint).

A few months later, Google updated its cookie banner in Europe to include a top-level reject all button.

Last year, the UK’s data protection watchdog also issued an advisory urging the ad tracking industry to prepare to reform and revamp its advertising technology to provide users with non-profiling choices. and other privacy-friendly choices – signaling that he expects a major shift in direction away from mass surveillance of internet users by design and by default.

Since last year, European privacy campaign group noyb has also led a major GDPR enforcement campaign to encourage dozens of websites to reform non-compliant cookie banners in their sending complaints directly, but also providing a free analysis of the adjustments needed to bring their cookie pop-ups into compliance with the GDPR. Only sites that resist necessary changes will face a complaint about their filing by noyb with a competent DPA.

Earlier this year he published a batch of “before and after” examples of how a number of well-known retail sites adapted their cookie banners in response to his proactive campaign – with the addition a top-level “discard all” button. being a key compliance measure taken by many reformed noyb targets.

The nonprofit has also filed a number of complaints about cookie banner reform refusals with regulators – 226 had been filed with 18 data protection authorities in August – although enforcement action remain in abeyance as the proceedings progress.