The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.
Yahoo is the owner of various media properties, such as Yahoo News, Yahoo Finance, and Yahoo Sports, as well as tech media sites like Engadget, HuffPo, and Tumblr. These sites are linked to the company's online advertising business through the use of tracking cookies, which trigger cookie consent banners displaying information about ad partners and data processing purposes. However, under the GDPR, valid consent for data processing must be informed, specific, and freely given.
The investigation conducted by the Data Protection Commission (DPC) focused on transparency issues related to publications operated by Yahoo, following multiple complaints from individuals about Yahoo media sites. One of the main concerns raised was the cookie banners used on these sites, which were reported to sometimes "effectively" offer no choice to users beyond an "okay" button. This issue is particularly relevant given that the GDPR requires consent for data processing to be freely given and specific, meaning that users must have a genuine choice to accept or reject tracking.
Moreover, the current cookie banner implementation by Yahoo places the reject button on the second level of the menu, rather than alongside the "accept all" option at the top. This means that users must first click through "manage settings" before they can see the option to reject all cookies. Furthermore, the second level menu is quite long and requires scrolling, which may make it less user-friendly and raise new regulatory concerns. This revised design may be seen as failing to provide an equally simple way for users to reject tracking, which could result in further complaints and investigations by the DPC.
A preliminary decision has been issued following an assessment of the company's compliance with the GDPR's provisions on transparent information provision to data subjects.
Irish Data Protection Commission and Yahoo
Draft decision - Press Release
Related deceptive patterns
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.