Closing the Cookie Jar

Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is the key to avoiding nuisance claims.

Since the Data Protection Act 2018 and UKGDPR came into force, public awareness of various data protection rights has steadily risen – perhaps no more obviously than in the increased consciousness of internet tracking technologies, or “cookies.” After high profile exposures of the uses of such technologies, such as the Cambridge Analytica scandal, the issue of privacy online and the tracking of user activity has become more sensitive and closely monitored. That includes the introduction of the cookies banner – pop-ups which present themselves when landing on most websites, inviting the user to accept or “manage” the website’s permitted cookie use on their device. Those banners are the product of a legal restriction on the use of non-essential cookies – including those used to track activity for advertising purposes – without consent from the user. Until the user explicitly accepts those cookies, the website cannot lawfully place them on the device.

However, whether by design, oversight or technical fault, not all web pages wait for the user to opt-in before placing non-essential cookies on their device (as was common practice just a few years ago). Some web users have spotted opportunity in these oversights and Charles Russell Speechlys is seeing a rising number of claims being issued against companies whose websites place cookies on a device without proper consent. For the most part, the claimants are reasonably well-informed opportunists, who scour the web (with the help of specialist websites) looking for non-compliance, and pounce where they find it.

Typically, such a claimant will send the company a letter of claim detailing which cookies were allegedly unlawfully place on their device and claiming a sum of damages, including an amount for “distress” they have suffered at discovering the tracking technologies. Following the 2015 ruling in Vidal-Hall v Google, no financial loss need have been suffered by the claimant in a data privacy case – damages can be awarded for the distress caused by losing control of one’s personal data. There are further cases suggesting that damages may also be awarded for the fact of the breach alone, though this remains an open question. However, while the case law on the value of damages for a cookies claim is not yet fixed, the closest guiding case suggests that a value of around £750 (or £1,000 if accounting for inflation) is the appropriate level in most cases. Many claimants pitch their claims at around this value, knowing that, whilst there may be factual and legal arguments to put forward resisting or reducing the sum of their claim, the cost and effort of doing so may quickly outstrip the cost of simply paying up, and some companies will pay the claimed sum to get rid of the claimant. Others rely on the varying reported case outcomes (which are themselves fact-specific) to demand higher amounts, and we have seen demands for thousands of pounds.

Each individual case may seem like a minor irritation to many companies, but the potential long-term effects are significant. The case of Lloyd v Google continues to progress through the UK Courts and the upcoming Supreme Court ruling will provide authoritative guidance on the level of harm – if any – which a claimant must suffer in order to be entitled to damages for cookies misuse. Lloyd, former director of Which? and a consumer rights activist, is seeking to bring a class-action lawsuit against Google on behalf of all UK iPhone users – approx. 4.4 million people – for alleged data breaches occurring between April 2011 and February 2012. With a suggested valuation of £750 per person, the total value of the Lloyd case is in excess of £3 billion, and the outcome is expected to become the leading authority on the appropriate level of damages in data breach claims of all sizes. If the Supreme Court allows the case (currently at a preliminary stage) to proceed, not only could it open the floodgates to a fresh wave of cookies use claims, it sets the stage for particularly vexatious claimants to threaten class action proceedings on behalf of all users of a non-compliant website. The possible financial exposure in such a claim is substantial by the standards of any company, and the risk has not gone unnoticed.

The question of data protection compliance, including the use of tracking cookies, is increasingly arising in mergers and acquisitions work where more businesses are reliant on their web-presence. Purchasers are ever more aware of the risks that longstanding non-compliance presents and are exploring and addressing these issues in the due diligence process.

The simple solution to the increasing threat of cookies use claims is to ensure a watertight policy on data privacy and tracking technologies, along with regular spot-checks to ensure that technical glitches are not causing cookies to be placed without user consent. As more internet users catch on to the “easy money” opportunity presented by unlawful cookies use, it is more important than ever for businesses to get their own use in order and avoid becoming a target.

If your business is targeted by a cookies use claimant, we are able to offer a fixed fee package for advising on and assisting with managing the claim. If you receive such a claim or would like assistance in reviewing your existing policies to ensure compliance, please contact us.