Cookie litigation is on the rise, and it appears that all organisations of any size, sector and industry are being targeted.
As discussed in detail in our “Cookies Crumbling – The Rise of Litigation” article, published in our June 2021 edition of the Data And Cyber Bulletin (found here), the well-known privacy group, “none-of-your- business” (“noyb”), headed up by privacy activist Max Schrems, has continued with its campaign against companies’ use of non-compliant cookie banners. Noyb threatens to file a formal complaint with the relevant Data Protection Authority (“DPA”), if the offending company does not remedy the violations complained of within 30 days. Noyb has boasted to have filed 422 GDPR complaints with ten DPAs, in just one day (10 August 2021), as a result of “nerve-wrecking “Cookie Banners””.
In addition to noyb, we are facing the rise of compensation claims from a small group of claimants. These individuals are sending identical Letters of Claim to multiple organisations alleging “distress” arising from websites placing cookies on their devices, without first obtaining their consent. Contrary to the ethical driver behind noyb’s campaign, it seems the objective behind these individuals’ claims is to achieve a quick financial pay-out from the defendant companies.
The laws around cookies (PECR and the UK GDPR)
The rules around the use of cookies and associated cookie banners are clear and, in the UK, are set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) which are derived from European Directive 2002/58/EC, the “e-Privacy Directive”.
In short, companies must provide sufficient information about the cookies and obtain consent prior to setting cookies (or similar technologies) on a user’s device unless they are deemed strictly necessary (i.e. without which the website simply would not work). To be valid, consent must meet the standard set out in the General Data Protection Regulation (“GDPR”), or the UK GDPR post Brexit, that is; freely given, specific, and informed. There must be some form of unambiguous positive action on the part of the user – for example, ticking a box or clicking a link – and the person must fully understand that they are giving consent.
Regulation 30(1) of PECR entitles a person who has suffered damage by reason of any contravention of PECR, to bring proceedings against the offending party for compensation for that damage. Article 82(1) of the GDPR (and section 168 of the DPA 2018) affords individuals the right to receive compensation from a controller or processor where they have suffered material or non-material damage as a result of an infringement of the GDPR.
The claim
The Letters of Claim allege that non-essential cookies are being placed on users’ devices automatically, without: (i) providing clear and comprehensive information about the purposes of the cookies and the storage of, or access to, the information collected; and/or (ii) obtaining user consent prior to placing the cookies. They allege that there is either no consent capture mechanism on the targeted company websites, or that the cookie banner that is present is not compliant with PECR / UK GDPR.
The claimants also allege that personal data was processed by the cookies, namely “online identifiers”, such as their IP address and browsing characteristics. Further, they claim that the processing of their personal data has not been done in a fair, lawful and transparent manner, which they say breaches Article 5 of the GDPR.
The Letters of Claim are typically accompanied by a without prejudice settlement offer of between £500 –
£1,000.
Challenges and strategy
Personal data
The claimants typically assume that personal data is captured by the cookies, however, this is often not correct. Organisations’ websites can utilise an IP anonymisation feature which means the claimant is not capable of being identified from the information collected by the relevant cookies. Consequently, no personal data is processed.
Evidence of distress
The Letters of Claim generally fail to particularise the claimant’s alleged distress, or indeed how any damage has been suffered as a result of the placement of the cookies. Any evidence of distress must exceed the de minimis threshold (i.e. be more than trivial), which was reinforced by the Supreme Court’s recent judgment in Lloyd v Google LLC1 where it was confirmed that a claimant’s right to compensation is not automatic; the claimant must prove material damage or distress.
Given the persistent and multiple claims we are seeing being brought by the same small group of individuals against various unrelated organisations, it would appear that they may be actively seeking out websites that are not compliant with PECR. Consequently, it is questionable how any distress claimed could be either rational or more than de minimis.
Regulatory and legislative reform
In response to noyb’s cookie complaints and the rising number of cookie claims, the European Data Protection Board (the “EDPB”), has established a task force to coordinate the response to complaints filed with supervisory authorities in the EU and the EEA, concerning an organisation’s cookies banner compliance. The aim of this taskforce is to harmonise and coordinate the approach to investigating and responding to noyb’s (and other similar privacy groups) cookie complaints.
The EU Commission is currently consulting on amendments to the e-Privacy Directive in an effort to simplify the rules on cookies in order to create a more user-friendly experience. Notably, the main amendment concerns removing some consent permissions for non-privacy intrusive cookies within the new e-Privacy Regulation. An updated draft, following negotiations between the EU Commission, EU Council and EU Parliament, is expected before the end of the year (2021), with the implementation of the e-Privacy Regulation commencing in late-2022/early-2023. It will be interesting to observe noyb’s position on the potential changes coming with the new e-Privacy Regulation.
In addition to the e-Privacy Regulation updates, the ICO’s governing body, the Department for Digital, Culture, Media and Sport (the “DCMS”), has recently completed a two-month consultation on whether to withdraw the requirement for consent for cookie notices under UK law. The two key proposals from the consultation were: 1) removing the need for a user’s consent for analytical cookies; and 2) allowing cookies on websites without user’s consent for ‘other’ limited purposes. The DCMS believe that allowing analytical cookies to act the same way as necessary cookies, where user consent is not required, could benefit users in terms of their browsing experience. Also, the DCMS are proposing that organisations include additional safeguards to ensure that the processing of analytical data without a user’s consent poses a low risk of harm to the user’s privacy. The DCMS are set to release their findings from the consultation in Spring 2022. Could this help put a lid on the cookie claim jar?
1[2021] UKSC 50
