PIPEDA Findings #2021-005: Staying signed in by default to email services poses serious privacy concerns for users accessing their email on a public or shared computer
This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.
- Adequacy of safeguards against unauthorized access to sensitive email content.
- Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
- Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.
Complaint well-founded and conditionally resolved
The OPC found that Yahoo's "Stay signed in" feature lacked adequate safeguards and did not obtain meaningful consent, given the sensitivity of email content and the risk of unauthorized access on shared devices. Yahoo's commitment to an opt-in setting and clearer warnings resolved the concerns.
AI-generated summary for reference only. Always verify against the official decision ↗
Yahoo committed to changing the "Stay signed in" setting to an opt-in mechanism and providing prominent and clear information about the privacy implications of opting in.
- Principle 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.3 PIPEDA
- Principle 4.3.6 PIPEDA
- Principle 4.3.5 PIPEDA
- Section 6.1 PIPEDA
- Principle 4.3.2 PIPEDA
This summary is informational only and not legal advice.