Valerie Armstrong-Surgenor: Our ‘cookie’ recipe to assist you with compliance
The short answer? Yes – for a number of reasons.
So why are we raising this now?
In this update, we explore these court decisions in more detail and provide you with our ‘cookie’ recipe to help you comply.
The case of Lloyd v Google
In the leading case of Lloyd v Google LLC, the Court of Appeal held that a court can award an individual damages for loss of control of their personal data. This judgment also went one step further by confirming that an individual does not necessarily need to prove financial loss or distress to be successful in raising such claim. Unsurprisingly, Google has appealed this decision to the Supreme Court, with the judgment yet to be announced.
A second element of this case (but just as important) relates to whether the claim itself could be brought as a representative action. What does this mean, Mr Lloyd has raised the action on behalf of 4 million iPhone users – being a defined class of users with the same interest (what happened to each iPhone user when they used the Safari browser). Mr Lloyd is claiming £750 on a per user basis. If successful on appeal – this could mean the door being well and truly pushed open to future representative actions.
The case itself is about the impact of the “safari workaround” which essentially permitted Google to place tracking cookies on a user’s device without their consent or knowledge – a fundamental breach of data privacy principles.
Warren v DSG
More recently, the High Court provided more clarification on compensation arising from accidental data breaches.
In the case of Warren v DSG, a claim was brought for breach of confidence, misuse of private information and negligence as a result of an unauthorised third party cyber-attack. The judge ended up dismissing the claims as it held that neither breach of confidence or misuse of private information imposed a data security duty on holders of information because the causes of action require a positive wrongful act on the defendant’s part. In respect of the negligence part of the claim, it was held that there was no common law duty of care and that a state of anxiety falling short of a clinically recognisable illness does not qualify for damage sufficient to complete a claim.
Whether the Warren decision will have an impact on the volume of claims being issued is yet to be seen, however, it will be a welcome development for organisations as it narrows the scope in which a claim in respect of alleged data protection breaches can be brought. It should be noted that this case was brought under the old Data Protection Act 1998 and whether future claimants will attempt to distance their claims from its findings.
A recipe to assist you with cookie compliance
With the rules rapidly evolving in the data protection landscape, it is important for organisations to be pro-active in relation to their cookie use so they are able to pre-empt any claims arising against them.
If you are an organisation concerned about your cookie use, you should:
Take action: Identify and categorise the cookies and tracking technologies on your website and confirm the purpose of each of these cookies. When doing this, you should distinguish between the cookies that are strictly necessary and which ones aren’t. This may be something your website developer will know or can help you with!
If your website uses any Google-services (for example, Google Analytics, Gtag, Floodlight or Google Ads), then deploy Google’s new ‘Consent mode’, which enables you to adjust how your cookies work based on the consent status of your users.
If there is a possibility that children are accessing your website, you will also need to bear in mind and comply with the requirements of the ICO’s code of practice on Age Appropriate Design.
Build a centrally located, historical consent database to demonstrate compliance to regulators and auditors.
If your cookies change at any time, for example, if you introduce a new cookie or the purpose of an existing cookie changes, then you will need to make users aware of these changes in order to allow them to give their informed consent or not.
Think Retention – how long until your cookie consent expires and when should you ask your users for their consent again?
Seek advice – if you receive any communication from a customer or a user about your cookies, do not ignore it. There are always steps you can take, but taking action and seeking early advice will help!
Do the rules on cookies only apply to websites?
Valerie Armstrong-Surgenor is a partner at MacRoberts LLP