Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yahoo Ecommerce, also known as Yahoo Small Business or Yahoo Stores, is a hosted ecommerce platform operated by Yahoo Inc in the United States that lets merchants build a storefront and accept orders through Yahoo domains.
Yahoo Ecommerce, originally Yahoo Small Business or Yahoo Stores, is a hosted online shop service. Merchants build a storefront on yahoo.com subdomains such as store.yahoo.com or shopping.yahoo.com, manage products and orders, and benefit from the wider Yahoo audience and advertising network operated by Yahoo Inc, now part of Apollo Global Management.
The platform sets a wide range of cookies on Yahoo domains. The B cookie is a browser identifier, A1 and A3 are advertising and personalisation cookies, IDSYNC is used for cross domain ID matching, GUC is a global user cookie and yht stores Yahoo home page traffic data. Pixels and IDs are shared across the Yahoo advertising network, which can include behavioural and interest segments.
Advertising, audience and non strictly necessary analytics cookies require prior consent under Article 5(3) ePrivacy Directive and Article 6(1)(a) GDPR. Order management uses Article 6(1)(b) GDPR (contract). Fraud and security signals fall under Article 6(1)(f) GDPR (legitimate interest), subject to the standard balancing test.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Yahoo Ecommerce is operated from the United States. Personal data on visitors, buyers and audience segments are routinely transferred from the EU to the United States. Yahoo Inc relies on the EU US Data Privacy Framework and Standard Contractual Clauses 2021/914. EU controllers must follow the Schrems II case law and complete a transfer impact assessment.
A DPIA under Article 35 GDPR is strongly recommended. The processing involves large scale behavioural advertising, profiling across the Yahoo network, cross device identity syncing and an EU US data transfer. The DPIA must address the legal basis for each cookie, the Data Privacy Framework status, retention of advertising IDs and the rights of data subjects to opt out of audience targeting.
Block advertising and audience scripts until consent, list Yahoo Inc in the privacy notice and cookie banner, document the EU US transfer mechanism, monitor the Data Privacy Framework certification, sign a data processing agreement with Yahoo and offer easy opt out, deletion and access for buyers.
Websites using Yahoo Ecommerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because the platform combines large scale behavioural advertising, cross device identity syncing through the Yahoo advertising network and a systematic transfer of personal data from the EU to the United States. The DPIA must address the legal basis for each cookie family, the Data Privacy Framework status of Yahoo Inc, the supplementary measures applied and the data subject rights for advertising audiences.
Sample consent text
Our shop runs on Yahoo Ecommerce, hosted in the United States. With your permission, Yahoo will set advertising and analytics cookies (B, A1, A3, IDSYNC, GUC) and transfer your data to the US under the EU US Data Privacy Framework. Do you accept these cookies?
Third-party domains contacted
shopping.yahoo.comsmallbusiness.yahoo.comstore.yahoo.comads.yahoo.comanalytics.yahoo.comb.yjtag.yahoo.co.jpCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| B | third_party | 1 year | Browser identifier set by Yahoo across yahoo.com domains. Used for analytics, ad selection and frequency capping in the Yahoo advertising network. |
| A1 | third_party | 1 year | Stores the visitor advertising profile and consent state for Yahoo personalised advertising. |
| A3 | third_party | 1 year | Long lived advertising cookie used to measure ad performance and to deliver Yahoo personalised content. |
| IDSYNC | third_party | 1 year | Used to synchronise Yahoo user identifiers with partner advertising networks for cross site targeting. |
| GUC | third_party | 1 year | Global user cookie that ties Yahoo profile and advertising preferences across Yahoo properties. |
| yht | third_party | 1 year | Tracks Yahoo home page and store traffic for audience measurement and personalisation. |
| yc_session | session | Session | Strictly necessary cookie that maintains the buyer cart and authenticated session on the Yahoo store. |
| y_csrf | session | Session | Cross site request forgery token that protects checkout and account forms on the Yahoo store. |
Yahoo Ecommerce uses cookies for user preferences — inform visitors with a consent banner.
Yahoo Ecommerce sets a broad set of cookies including B (browser identifier), A1 and A3 (advertising and personalisation), IDSYNC (cross domain ID matching), GUC (global user cookie), yht (Yahoo traffic) and various session and security cookies. Many of them are advertising or audience cookies that require consent in the EU.
Yes. Advertising, audience and non strictly necessary analytics cookies set on the Yahoo storefront require prior consent under Article 5(3) ePrivacy Directive and Article 6(1)(a) GDPR. Only strictly necessary order management cookies can be set without consent.
Three bases coexist. Consent (Article 6(1)(a) GDPR) covers advertising and audience cookies. Contract (Article 6(1)(b) GDPR) covers the order and account management. Legitimate interest (Article 6(1)(f) GDPR) covers fraud prevention and platform security.
Yes. Yahoo Inc operates the platform from the United States, so personal data of EU buyers are transferred to the US. Yahoo Inc uses the EU US Data Privacy Framework and Standard Contractual Clauses, but EU controllers must document a transfer impact assessment.
A DPIA is strongly recommended. The platform combines large scale behavioural advertising, cross device identity syncing across the Yahoo network and a systematic EU US transfer, which trigger several criteria of Article 35 GDPR.
Use a consent management platform that blocks Yahoo advertising and audience scripts until consent, surface a granular cookie banner, sign a data processing agreement with Yahoo, monitor the Data Privacy Framework certification and offer clear opt out, access and deletion paths.
Common ecommerce alternatives include Shopify, Adobe Commerce (Magento), PrestaShop, WooCommerce and BigCommerce. Each one has its own hosting region, third party cookie footprint and transfer mechanism that should be reviewed before migration.
Describe each Yahoo cookie family (B, A1, A3, IDSYNC, GUC, yht), the purpose, the retention, the controller relationship with Yahoo Inc, the EU US transfer mechanism and a link to the Yahoo privacy notice. Refresh the entry whenever Yahoo updates its cookie list.