• news-banner

    Expert Insights

Closing the Cookie Jar

Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is the key to avoiding nuisance claims.

Since the Data Protection Act 2018 and UKGDPR came into force, public awareness of various data protection rights has steadily risen – perhaps no more obviously than in the increased consciousness of internet tracking technologies, or “cookies.” After high profile exposures of the uses of such technologies, such as the Cambridge Analytica scandal, the issue of privacy online and the tracking of user activity has become more sensitive and closely monitored. That includes the introduction of the cookies banner – pop-ups which present themselves when landing on most websites, inviting the user to accept or “manage” the website’s permitted cookie use on their device. Those banners are the product of a legal restriction on the use of non-essential cookies – including those used to track activity for advertising purposes – without consent from the user. Until the user explicitly accepts those cookies, the website cannot lawfully place them on the device.

However, whether by design, oversight or technical fault, not all web pages wait for the user to opt-in before placing non-essential cookies on their device (as was common practice just a few years ago). Some web users have spotted opportunity in these oversights and Charles Russell Speechlys is seeing a rising number of claims being issued against companies whose websites place cookies on a device without proper consent. For the most part, the claimants are reasonably well-informed opportunists, who scour the web (with the help of specialist websites) looking for non-compliance, and pounce where they find it.

Typically, such a claimant will send the company a letter of claim detailing which cookies were allegedly unlawfully place on their device and claiming a sum of damages, including an amount for “distress” they have suffered at discovering the tracking technologies. Following the 2015 ruling in Vidal-Hall v Google, no financial loss need have been suffered by the claimant in a data privacy case – damages can be awarded for the distress caused by losing control of one’s personal data. There are further cases suggesting that damages may also be awarded for the fact of the breach alone, though this remains an open question. However, while the case law on the value of damages for a cookies claim is not yet fixed, the closest guiding case suggests that a value of around £750 (or £1,000 if accounting for inflation) is the appropriate level in most cases. Many claimants pitch their claims at around this value, knowing that, whilst there may be factual and legal arguments to put forward resisting or reducing the sum of their claim, the cost and effort of doing so may quickly outstrip the cost of simply paying up, and some companies will pay the claimed sum to get rid of the claimant. Others rely on the varying reported case outcomes (which are themselves fact-specific) to demand higher amounts, and we have seen demands for thousands of pounds.

Each individual case may seem like a minor irritation to many companies, but the potential long-term effects are significant. The case of Lloyd v Google continues to progress through the UK Courts and the upcoming Supreme Court ruling will provide authoritative guidance on the level of harm – if any – which a claimant must suffer in order to be entitled to damages for cookies misuse. Lloyd, former director of Which? and a consumer rights activist, is seeking to bring a class-action lawsuit against Google on behalf of all UK iPhone users – approx. 4.4 million people – for alleged data breaches occurring between April 2011 and February 2012. With a suggested valuation of £750 per person, the total value of the Lloyd case is in excess of £3 billion, and the outcome is expected to become the leading authority on the appropriate level of damages in data breach claims of all sizes. If the Supreme Court allows the case (currently at a preliminary stage) to proceed, not only could it open the floodgates to a fresh wave of cookies use claims, it sets the stage for particularly vexatious claimants to threaten class action proceedings on behalf of all users of a non-compliant website. The possible financial exposure in such a claim is substantial by the standards of any company, and the risk has not gone unnoticed.

The question of data protection compliance, including the use of tracking cookies, is increasingly arising in mergers and acquisitions work where more businesses are reliant on their web-presence. Purchasers are ever more aware of the risks that longstanding non-compliance presents and are exploring and addressing these issues in the due diligence process.

The simple solution to the increasing threat of cookies use claims is to ensure a watertight policy on data privacy and tracking technologies, along with regular spot-checks to ensure that technical glitches are not causing cookies to be placed without user consent. As more internet users catch on to the “easy money” opportunity presented by unlawful cookies use, it is more important than ever for businesses to get their own use in order and avoid becoming a target.

If your business is targeted by a cookies use claimant, we are able to offer a fixed fee package for advising on and assisting with managing the claim. If you receive such a claim or would like assistance in reviewing your existing policies to ensure compliance, please contact us.

Our thinking

  • Women in Leadership: Planning for the future

    Sarah Wigington

    Events

  • Retail Week quotes Ilona Bateson on the CMA’s investigation into environmental claims in the fashion retail sector

    Ilona Bateson

    In the Press

  • Fashion and the Green Claims Code brought into focus by open letter from the CMA.

    Ilona Bateson

    Quick Reads

  • Charles Russell Speechlys grows its rankings in The Legal 500 EMEA directory

    Frédéric Jeannin

    News

  • Landmark European AI Act Passed By The European Parliament

    Louise Zafer

    Insights

  • Expert Evidence - Avoiding fatal failure

    Claudine Morgan

    Insights

  • Charles Russell Speechlys hosts international arbitration event in Dubai

    Peter Smith

    Quick Reads

  • Property Patter – Filming Agreements Part 2

    Naomi Nettleton

    Podcasts

  • Charles Russell Speechlys Paris significantly strengthens litigation practice with notable team hire led by Frédéric Dereux

    Frédéric Dereux

    News

  • Trade Credit Insurance – Protection, Economic Instability and Increased Demand

    Mary Barrett

    Insights

  • Consumer Duty - FCA warns that some firms are “lagging behind”

    Richard Ellis

    Insights

  • UK Government AI Regulation Response & Roadmap – Is the Government behind the wheel?

    Mark Bailey

    Insights

  • Remote Hearings – factors to consider

    Richard Kiddell

    Insights

  • Richard Davies writes for City AM on the lessons that the Premier League can learn from the Super Bowl and NFL

    Richard Davies

    In the Press

  • The ongoing fight against fakes

    Charlotte Duly

    Quick Reads

  • Abu Dhabi’s New Arbitral Centre Unveils its Rules

    Dalal Alhouti

    Quick Reads

  • Fortune quotes Richard Davies on sponsorship deals and the strength of brand/supporter loyalty in football

    Richard Davies

    In the Press

  • Legal tips and trends for Creative Design Agencies in 2024

    Rebecca Steer

    Insights

  • Charles Russell Speechlys advises Downing LLP on the successful refinancing of its loan facility with Kao Data

    News

  • New Regulations for the UAE’s Media Sector in 2024

    Mark Hill

    Quick Reads

  • Megan Paul writes for The Grocer on why green energy can be a 'money saver' for retailers rather than a 'money spender'

    Megan Paul

    In the Press

  • Greenwashing: The Story So Far

    Caroline Greenwell

    Insights

  • Under the Influence: Legal Considerations for Social Media Influencer Partnerships in the UAE

    Mark Hill

    Quick Reads

  • Reuters quotes Megan Paul on supply chain considerations coming out of tensions in the Red Sea

    Megan Paul

    In the Press

  • EU AI Act – Will it become a law for all the world?

    Nick White

    Quick Reads

  • Indemnity Costs in Derivative Claims – Briefing Note

    John Sykes

    Insights

  • Trading insolvently or trading out of difficulty? Are we being naughty or did we have the best intentions? Part 3

    Claudine Morgan

    Insights

  • Ctrl + GCC: The Rise of e-Sports in the Gulf

    Mark Hill

    Quick Reads

  • Digital Markets, Competition and Consumers Bill: Will new consumer protection rules restrict access to Gift Aid?

    Verity Heath

    Quick Reads

  • The End of the SAG-AFTRA Strike & What it Means for the Middle East

    Mark Hill

    Quick Reads

  • UAE Strengthens its Position as Leading Destination for A.I.

    Mark Hill

    Quick Reads

  • Dubai Court of Cassation Extends Arbitration Agreement Across Subsequent Contracts

    Peter Smith

    Quick Reads

  • UAE Polishes Federal Arbitration Law

    Peter Smith

    Quick Reads

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • Will the downturn in the Paris region property market lead property companies to turn to ad hoc proceedings, as they did in the 1990s?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

Back to top