Ireland's Data Protection Commission Investigation into Yahoo

Final decision pending


The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.

Our analysis

Yahoo is the owner of various media properties, such as Yahoo News, Yahoo Finance, and Yahoo Sports, as well as tech media sites like Engadget, HuffPo, and Tumblr. These sites are linked to the company's online advertising business through the use of tracking cookies, which trigger cookie consent banners displaying information about ad partners and data processing purposes. However, under the GDPR, valid consent for data processing must be informed, specific, and freely given.
The investigation conducted by the Data Protection Commission (DPC) focused on transparency issues related to publications operated by Yahoo, following multiple complaints from individuals about Yahoo media sites. One of the main concerns raised was the cookie banners used on these sites, which were reported to sometimes "effectively" offer no choice to users beyond an "okay" button. This issue is particularly relevant given that the GDPR requires consent for data processing to be freely given and specific, meaning that users must have a genuine choice to accept or reject tracking.
Moreover, the current cookie banner implementation by Yahoo places the reject button on the second level of the menu, rather than alongside the "accept all" option at the top. This means that users must first click through "manage settings" before they can see the option to reject all cookies. Furthermore, the second level menu is quite long and requires scrolling, which may make it less user-friendly and raise new regulatory concerns. This revised design may be seen as failing to provide an equally simple way for users to reject tracking, which could result in further complaints and investigations by the DPC.


A preliminary decision has been issued following an assessment of the company's compliance with the GDPR's provisions on transparent information provision to data subjects.


Irish Data Protection Commission and Yahoo

Case number

Draft decision - Press Release

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us