• by Wendy Davis , April 7, 2025

A Vermont resident has sued Yahoo for allegedly violating consumer protection and privacy laws in New York and California with ConnectID -- an ad-targeting mechanism that tracks users based on encrypted email addresses.

“Through Yahoo ConnectID ... Yahoo has been secretly harvesting and monetizing directly identifiable user data from millions of U.S. residents without their knowledge and consent,” Tyler Baker alleges in a class-action complaint filed late last week in U.S. District Court for the Southern District of New York.

“Yahoo knowingly and intentionally developed persistent, unique identifiers to track plaintiff and class members across internet-connected services, despite knowing these types of identifiers were at odds with users’ expectation of privacy,” Baker adds.

The complaint includes a claim that Yahoo dupes consumers by failing to fully inform them about ConnectID -- which was launched in 2020 and allegedly enables tracking even if users delete third-party cookies or reset mobile identifiers.

“Rather than relying on cookies or mobile identifiers, the Yahoo ConnectID is an email-based persistent identifier,” the complaint alleges.

“When a user logs in or provides an email ... to an online service offered by Yahoo or one of its partners, Yahoo intercepts and assigns a Yahoo ConnectID to that user based on their email address.,” Baker adds. “The Yahoo ConnectID is privacy-invasive because it is a work-around to privacy mechanisms designed to prevent this type of user-based tracking.”

The complaint alleges that Yahoo combines the ConnectID data with other information in order to “create comprehensive user profiles” that are used for ad targeting.

Baker contends Yahoo deceptively fails to tell people that ConnectID is “tied directly” to their personally identifiable information.

Yahoo's privacy policy “expressly states that it does 'not share personally identifiable information (like phone number or email address) with . . . partners, such as publishers, advertisers, ad agencies, or analytics partners,'” the complaint alleges.

“While Yahoo may not disclose email addresses directly, it intercepts and maps them directly to ConnectID, a persistent identifier that it does share with others. This translation is akin to (and no better than) sharing the email address itself,” the complaint alleges.

Baker also contends that even though Yahoo encrypts email addresses, the data “remains identifiable.”

“While ConnectID does not itself contain the users’ actual email address or phone number, it serves as the functional equivalent of those values based on its direct mapping to them,” the complaint alleges, adding that the Federal Trade Commission warned last July that hashes “are not 'anonymous' and can still be used to identify users.”

The complaint also alleges that Yahoo makes “misleading at best” statements to publishers by telling them “they need not concern themselves with obtaining user consent because it already provides 'multiple mechanisms' for users to manage their privacy choices.”

Yahoo hasn't yet responded to MediaPost's request for comment.