The Irish Data Protection Authority (DPA) wants to convict Yahoo of AVG/GDPR violations. According to the watchdog, Yahoo’s websites offered insufficient options to refuse cookie tracking in recent years.

Yahoo has been under investigation by the Irish DPA since 2019. The watchdog wants to convict the company of violating the AVG/GDPR. According to the Irish DPA, Yahoo failed to acquire legitimate consent for cookie tracking for years on end.

Each European DPA needs permission from DPAs in other member states to convict a company. Hence, the Irish watchdog recently shared the investigation’s results with its European counterparts. If the plan is greenlit, Yahoo could be sentenced within months.

Yahoo’s cookie tracking

The AVG/GDPR requires companies to ask website visitors for permission to track and share cookies. The way a company requests consent must meet a number of conditions.

Yahoo is the parent company of several websites, including Yahoo News. When the Irish watchdog launched an investigation into Yahoo in 2019, some of the websites lacked an option to refuse all cookie tracking. The cookie form was revamped in the spring of 2021. Yahoo has offered a button to decline all forms of tracking ever since.

The ground on which the Irish watchdog intends to convict Yahoo has not been disclosed. First, it’s possible that the authority wants to prosecute Yahoo for the years in which its cookie forms were uncompliant. Second, it’s possible that the cookie forms remain uncompliant to this day.

Advertisements and millions in fines

A cookie is a file containing information about a user’s website visit. When permitting cookie tracking, you authorize a website to share your cookies with third parties. A party can purchase the cookies to gain insight into the websites you visit. The latter allows organizations like Google to sell targeted ads.

Cookies are personal data. Sharing personal data is subject to the AVG/GDPR in the European Union. As a result, sharing requires user consent. The ways in which organizations obtain consent are regularly scrutinized by DPAs. Google and Facebook received fines of €150 million and €60 million respectively for illegal cookie forms in January 2022.