A multi-year investigation into TechCrunch’s parent entity Yahoo — looking at compliance with key transparency requirements of the European Union’s General Data Protection Regulation (GDPR), including in relation to cookie banners displayed on its media properties — has taken a step forward today after Ireland’s Data Protection Commission (DPC) announced that it has submitted a draft decision to other EU data protection agencies for review.

“On October 27, 2022, the DPC submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities across the EU. The inquiry examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the Article 60 GDPR process, Concerned Supervisory Authorities have until 24 November, 2022 to send any ‘relevant and reasoned objections’ to the DPC’s draft decision.”

Following its usual procedure, the DPC has not released any details on the substance of its draft decision. In any case, the outcome is not final until other interested DPAs have weighed in — so nothing has been concluded yet.

The inquiry concerns Yahoo’s processing of European users’ data and is focused on its compliance with Articles 5(1)(a), 12, 13 and 14 of the GDPR — so the DPAs will be considering whether Yahoo’s business has been meeting GDPR requirements for personal data processing to be lawful, fair and transparent; and also whether it’s been properly communicating to users how their data is being processed.

If other DPAs agree with Ireland’s draft a final decision could be issued fairly soon — maybe even in a couple of months.

Thing is, under the GDPR, in order for consent to be a valid legal basis to process people’s data it must be informed, specific and freely given — so a cookie banner that lacks an option for users to deny ad tracking is going to attract complaints that it is not offering the required free choice.

Verizon Media does appear to have made a notable change to the design of its cookie banner (circa spring 2021) — so subsequent to the DPC opening its investigation — which tweaked the implementation of the consent flow to include a reject button.

A current version of a Yahoo cookie banner (shown below being displayed on a Yahoo website) can be seen including two ‘reject all’ options:

Screengrab: Natasha Lomas/TechCrunch

On the less positive side, this cookie banner tries to claim a “legitimate interest” (i.e. non-consent based) ground for processing people’s data for ad targeting (and defaults those toggles to ‘on’) — but you can at least deny this by selecting “reject all” under the LI field.

The current Yahoo cookie banner implementation — at least on the version we saw — also relegates the reject button to the second level of the menu — rather than displaying it at the top level, alongside the “accept all” option displayed there.

This means users have to click through “manage settings” before they can even see a reject all option (while this second level menu is long and requires scrolling) — so the tweaked design may raise fresh objections from regulators since it does not offer an equally easy way to reject tracking as allow it.

Still, it remains to be seen what the EU DPAs will decide on the Yahoo complaint as a whole. Since the complaint predates this implementation of the cookie banner the inquiry may not consider the current design as closely as looking at the old one which netted Yahoo all these complaints. (Although DPAs could also take it into consideration in any order to the company to amend the design of the banner in a final decision.)

One thing is clear: Cookie consents for ad tracking are getting increasing attention from EU regulators.

The not-for-profit has also filed a number of complaints about cookie banner reform refuseniks with regulators — 226 had been lodged with 18 data protection authorities as of August — although enforcements remain pending as procedures grind on.

Ireland-led GDPR probe of Yahoo’s cookie banners moves to draft decision review by Natasha Lomas originally published on TechCrunch