Valerie Armstrong-Surgenor: Our ‘cookie’ recipe to assist you with compliance
You visit a website; on the landing page, before you go any further, you are often asked to make decisions about ‘cookies’, quite often a slider to switch on or off. Some websites, however, don’t ask you to make any decisions and some do not even have a cookie policy. Does any of this all matter?
The short answer? Yes – for a number of reasons.
So why are we raising this now?
Due to recent court decisions, we are seeing an increased wave in individuals and claimant firms sending letters to organisations claiming that their use of cookies contravenes the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulation (PECR).
In this update, we explore these court decisions in more detail and provide you with our ‘cookie’ recipe to help you comply.
The case of Lloyd v Google
In the leading case of Lloyd v Google LLC, the Court of Appeal held that a court can award an individual damages for loss of control of their personal data. This judgment also went one step further by confirming that an individual does not necessarily need to prove financial loss or distress to be successful in raising such claim. Unsurprisingly, Google has appealed this decision to the Supreme Court, with the judgment yet to be announced.
A second element of this case (but just as important) relates to whether the claim itself could be brought as a representative action. What does this mean, Mr Lloyd has raised the action on behalf of 4 million iPhone users – being a defined class of users with the same interest (what happened to each iPhone user when they used the Safari browser). Mr Lloyd is claiming £750 on a per user basis. If successful on appeal – this could mean the door being well and truly pushed open to future representative actions.
The case itself is about the impact of the “safari workaround” which essentially permitted Google to place tracking cookies on a user’s device without their consent or knowledge – a fundamental breach of data privacy principles.
So, what does this mean? In short, the Lloyd case effectively opened the floodgates for individuals (and potentially group actions) to litigate on data breaches and left organisations vulnerable to claims being made against them by individuals for loss of control of person data, including claims regarding the improper use of cookies.
Warren v DSG
More recently, the High Court provided more clarification on compensation arising from accidental data breaches.
In the case of Warren v DSG, a claim was brought for breach of confidence, misuse of private information and negligence as a result of an unauthorised third party cyber-attack. The judge ended up dismissing the claims as it held that neither breach of confidence or misuse of private information imposed a data security duty on holders of information because the causes of action require a positive wrongful act on the defendant’s part. In respect of the negligence part of the claim, it was held that there was no common law duty of care and that a state of anxiety falling short of a clinically recognisable illness does not qualify for damage sufficient to complete a claim.
Whether the Warren decision will have an impact on the volume of claims being issued is yet to be seen, however, it will be a welcome development for organisations as it narrows the scope in which a claim in respect of alleged data protection breaches can be brought. It should be noted that this case was brought under the old Data Protection Act 1998 and whether future claimants will attempt to distance their claims from its findings.
A recipe to assist you with cookie compliance
With the rules rapidly evolving in the data protection landscape, it is important for organisations to be pro-active in relation to their cookie use so they are able to pre-empt any claims arising against them.
If you are an organisation concerned about your cookie use, you should:
Take action: Identify and categorise the cookies and tracking technologies on your website and confirm the purpose of each of these cookies. When doing this, you should distinguish between the cookies that are strictly necessary and which ones aren’t. This may be something your website developer will know or can help you with!
If your website uses any Google-services (for example, Google Analytics, Gtag, Floodlight or Google Ads), then deploy Google’s new ‘Consent mode’, which enables you to adjust how your cookies work based on the consent status of your users.
Our favourite pop-ups – the cookie banner! Be careful to not track users before they have given their consent! Display a cookie consent banner that auto-blocks Cookies until the visitor positively opts-in or out of your Cookie policy. This banner should include key information such as what the Cookies are used for and should not use any pre-ticked boxes (or equivalents) for non-essential cookies. A full ‘cookie wall’ – ie requiring users to agree to Cookies before allowing access to a website – is highly unlikely to be compliant according to the regulator, Information Commissioner’s Office (ICO).
Provide more detailed information about your cookies to users in a separate cookie policy. The information contained in the policy should be as transparent and as user-friendly as possible.
If there is a possibility that children are accessing your website, you will also need to bear in mind and comply with the requirements of the ICO’s code of practice on Age Appropriate Design.
Build a centrally located, historical consent database to demonstrate compliance to regulators and auditors.
If your cookies change at any time, for example, if you introduce a new cookie or the purpose of an existing cookie changes, then you will need to make users aware of these changes in order to allow them to give their informed consent or not.
Think Retention – how long until your cookie consent expires and when should you ask your users for their consent again?
Seek advice – if you receive any communication from a customer or a user about your cookies, do not ignore it. There are always steps you can take, but taking action and seeking early advice will help!
Do the rules on cookies only apply to websites?
No – the use of cookies and ensuring compliance is not only limited to websites. PECR applies to any technique that stores information, or accesses information stored, in the terminal equipment of the subscriber or user, so other technologies, such as mobile apps, will also have to comply with the rules on cookies.
Valerie Armstrong-Surgenor is a partner at MacRoberts LLP