Teal blue graphic

US judge grants class action against Yahoo for illegally accessing emails


Non-Yahoo Mail users who sent emails to and/or received emails from Yahoo Mail users have claimed that Yahoo intercepted and analysed their emails and attachments with the goal of using the data to create 'targeted advertising' for its 275 million mail subscribers. They allege that Yahoo provides no mechanism for non-Yahoo Mail users to opt out of Yahoo's scanning practices.

Yahoo argued in its defence that some of the claimants continued to email Yahoo Mail users even once they were aware of Yahoo's activities and in doing so consented to Yahoo accessing their emails. The company also argued that the alleged injuries were too disparate to justify class certification.

However, US District Judge Lucy Koh ruled that (1) nationwide, people who sent emails to or received emails from Yahoo Mail users from 2 October 2011 can sue the company as a group under the Stored Communications Act and (2) Californian holders of non-Yahoo accounts in California since 2 October 2012 may also sue as a group for privacy infringement under California’s Invasion of Privacy Act.


As a result of the judge’s decision, there is estimated to be over one million members in the privacy lawsuit. They are seeking damages, an order that everyone with whom Yahoo has shared or sold information or data collected from non-subscribers' emails be identified and an injunction banning Yahoo from spying on emails.

The decision means it will be easier for the group to receive larger damages and more wide ranging pay-outs at a lower cost.

In addition, if an injunction is granted, this will have a significant effect on Yahoo’s revenue. It has been reported that in 2014, nearly 80% of Yahoo's revenue came from its search and display advertising.

The judge distinguished her decision from an earlier decision she made in 2014 involving Gmail. In the latter case, she refused to grant class-action status on behalf of Gmail and non-Gmail users because it was too difficult to determine which users had agreed to Google's scanning practices.


Although this is a US case, the sheer size of the class bringing this action will ensure a high profile result world-wide.

Even though the case will be decided under legislation which is not directly analogous to UK data protection law, the case will draw attention to the broader spirit of the legislation, ie having a right to privacy and the ability to control what happens to information you provide.

In the UK, the case is likely to highlight in particular the practice by any organisation of analysing information (whether emails or other information received by any other means) received from individuals who do not have opportunity to subscribe to that organisation’s privacy policy or consent to any processing of their personal data. Further, high profile cases such as this which are clearly a product of the increasingly digital age we now live in are likely to influence the new Data Protection Regulation expected to emanate from the EU by the end of this year.


It would be prudent for businesses to review their policies for receiving such information and consider putting in place the ability to collect consents from individuals prior to any processing of such individuals’ personal data taking place.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all