Businesses are being targeted by individuals who are alleging that their data rights have been breached when visiting the company's website and 'cookies' were used without their consent.
Cookies are packets of data that a website uses to identify a visitor's computer and use that visitor's computer network. Cookies remember certain information about a visitor– for instance, items placed in a shopping cart on an e-commerce website – and will use this information if the user re-visits the site.
The law on cookie usage
The rules relating to the use of website cookies in the UK are governed by the Privacy and Electronic Communications Regulations 2003 (PECR, which implemented an EU directive of the same name dated 2002). The PECR provides that a business's website needs to obtain a visitor's consent prior to using cookies on the visitor's device (unless the cookies are absolutely necessary and the site would be unable to function without them). The website must also provide the visitor with sufficient information about the cookies that the visitor is being asked to consent to. In order for the consent to be valid, it has to be "freely given, specific and informed" as per the GDPR.
Implications for companies and their insurers
The recent cookie-related data breach claims brought against travel companies replicate claims that we have seen against other businesses. Often the claimant does not explain why they were visiting the website and often it appears that they are doing so purely for the purpose of bringing a cookie-related data breach claim. Whilst seemingly lacking merit, the sum claimed can make it appear attractive to simply pay up. However, this will, in all likelihood, simply encourage such claims to proliferate. It may therefore be appropriate to take a more robust stance and to press the claimant as to the reason for their accessing the site and for details of the information that they say was captured by the cookie(s). It may also be worthwhile arguing that any breach does not trigger an entitlement to compensation above the acknowledged de minimis threshold.
In addition, although these recent claims may be opportunist at best and an improper use of the claims process and underlying legislation at worst (for example where the use of the website was solely for the purpose of bringing a claim and where no personal data other than that related to the visit itself was obtained by the cookie), it is still important that businesses understand the type of cookies they are using and ensure that there is a mechanism for visitors to the site to opt in or out of any cookies which are "non-essential". It is also important that websites provide sufficient information about the types and purposes of the cookies being used.
The Government has recently indicated that there will be a "shake up" of data rules post-Brexit which may include disposing of cookie pop-ups. However, any changes may be slow to take effect. For the meantime, it is good practice for companies to err on the side of caution and deploy cookie pop-ups obtaining site visitors' consent in order to reduce the risk of data-related claims, however spurious or ill-intentioned such claims may be.
Originally published 21 Oct 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.