Yahoo’s ConnectID is a cookieless identity solution that allows advertisers and publishers to personalize, measure, and perform ad campaigns by leveraging first-party data and 1-to-1 consumer relationships. ConnectID uses consumer email addresses (instead of third-party tracking cookies) to produce and monetize consumer data. A lawsuit filed in the U.S. District Court for the Southern District of New York says that this use and monetization is occurring without consumer consent. The complaint alleges that ConnectID allows user-level tracking across websites by utilizing the individual’s email address—i.e., ConnectID tracks the users via their email addresses without consent. The complaint further alleges that this tracking allows Yahoo to create consumer profiles with its “existing analytics, advertising, and AI products” and to collect user information even if a user isn’t a subscriber to a Yahoo product.

The complaint states, “Yahoo openly tells publishers that they need not concern themselves with obtaining user consent because it already provides ‘multiple mechanisms’ for users to manage their privacy choices. This is misleading at best.” Further, the complaint alleges that Yahoo’s Privacy Policy “makes no mention of sharing directly identifiable email addresses and, in fact, represents that email addresses will not be shared.”

The named plaintiff seeks to certify a nationwide class of all individuals with a ConnectID and whose web communications have been intercepted by Yahoo. The plaintiff asserts this class will be “well over a million individuals.” The complaint seeks relief under the New York unfair and deceptive business practices law, the California Invasion of Privacy Act, and the Federal Computer Data Access and Fraud Act.

These “wiretap” violation lawsuits are popping up all across the country. The lawsuits allege violations of state and federal wiretap statutes, often focusing on website technologies like session replay, chatbots, and pixel tracking, arguing that these trackers (and here, the tracking of email addresses) allow for unauthorized interception of communications. For more information on these predatory lawsuits, check out our recent blog post, here.

The lawsuit seeks statutory, actual, compensatory, punitive, nominal, and other damages, as well as restitution, disgorgement, injunctive relief, and attorneys’ fees. Now is the time to assess your website and the tracking technologies it uses to avoid these types of claims.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less