Malicious cookie damages claims and how to manage them

Over the past few months, we have seen an increase in clients receiving threats of legal action over the alleged misuse of personal data, accompanied by offers to settle.

The letters are well written, refer to the law in detail and quote case history. They have been put together by individuals with legal knowledge and create a solid evidence-based argument that there have been breaches of both the PECR (Privacy and Electronic Communications Regulations) and the GDPR (General Data Protection Regulation).

In most cases these arguments centre on the dropping of Google cookies without adequate consent. They allege, possibly correctly, that this enables Google to fully track the user’s activities and send the complainant’s data to the US without adequate mechanisms in place to safeguard the data.

It’s important to understand that the argument put forward by serial complainants often has merit. They have a methodology for identifying non-compliant websites and use a straightforward process to issue large numbers of letters before action.

Many websites are currently non-compliant. We often see examples of non-essential cookies being dropped on end-user devices without a suitable consent mechanism as the law demands.

Indeed, organisations often seem prepared to take the risk of dropping such cookies rather than lose the knowledge they provide – or are simply ignorant of the law.

The law offers no help with this situation. The existing regulations are a mix of older ePrivacy Regulation, such as the UK PECR, and newer legislation like the GDPR.

Recent drafts of the EU’s new and updated ePrivacy Regulation, which will replace the existing “cookie laws” across Europe, have attempted to include a provision for website analytics to be allowed without explicit consent when used purely for the purpose of understanding website behaviour and if individual tracking is not enabled.

The UK ICO (Information Commissioner’s Office) suggests a slightly softer approach in some areas. It writes:

“Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals. However you should also note that where you use first-party analytics cookies provided by a third party, this is not necessarily going to be the case.”

It also looks likely that the IAB’s (Interactive Advertising Bureau) cookie consent framework is about to be called out as non-compliant in Europe.

If this happens, the many organisations that rely on cookie consent solutions using this framework (which is specifically built to ensure Internet-based advertising solutions use only consented data) will suddenly find themselves on the wrong side of the law.

Such deviations away from the straightforward “essential cookies only” message serve to further confuse organisations, and it is this doubt that is being exploited by individuals who understand the law and can identify and target organisations whose approach is flawed or incomplete.

The problem is not just that the law is being breached (often the complaint is technically correct). It is that some individuals see this as an opportunity to threaten and exploit the lack of knowledge of well-intentioned organisations that haven’t the resources in-house to recognise that they have done wrong.

The targets for such claims are typically smaller businesses where this is even more likely, and where the reaction is likely to be one of panic resulting in a kneejerk settlement.

So, what can organisations do to avoid or mitigate this?

With the right preventive actions, organisations can quickly escape being easy targets for such claims. Here are a few tips:

1. Audit your website cookie behaviour. If you don’t have the knowledge in-house to understand how your website is working and if it is compliant with the law, then get external help.
2. Don’t allow your website teams to add new applications or make changes without fully understanding the privacy impact of doing so. Often this is how unexpected cookie activity gets drawn into a user’s website journey. In many cases we find cookies on client sites that are unknown to the client.
3. Ensure that your privacy and cookie policies and notices are comprehensive and are maintained.
4. Ensure that your cookie consent mechanisms are comprehensive and transparent when using non-essential cookies. You must also check that they are working. We have seen examples of the consent mechanism not being correctly configured, allowing cookies to be dropped regardless of the user’s choices.
5. Be prepared to have tough conversations with internal marketing and IT teams. Marketing won’t want to see reduction in key statistics, or a reduced ability to personalise or otherwise make use of tracking data.

It’s worth remembering that many individuals and applications block such non-essential cookies by default in any case – we all need to learn to work with smaller sample data sets and provide that real “value exchange” with individuals so they let us use their data to their benefit. 

If you do receive a claim for damages, then each one must be judged on its own merits and each organisation will have different tolerance to such threats. However, you should:

1. Check the complaint carefully. Don’t assume it is correct – often we see a conflation of issues that don’t really hold much water when tested.
2. Respond quickly to the complainant. Ignoring such a request is likely to be a further, and more serious, breach of the GDPR. This can be a simple “Thank you. We are investigating, and will come back to you in such-and-such timescale.”
3. Carefully record all correspondence securely.
4. Talk to your legal advisors about how to progress and whether the complaint holds merit.
5. Take action to remediate any technical non-compliance.

You should also note that, although a single breach of the PECR with first-party cookies by a small organisation is unlikely to progress to a large fine, it is a possibility. In most such instances where the ICO becomes involved, it will seek assurance that the problem has been fixed, rather than jump straight to a financial penalty.

If you’re looking for help understanding your cookie requirements, DQM GRC can help. With our GDPR Cookie Compliance Service, you’ll receive a full website review to make sure your cookie banner complies with the law.

Our experts will highlight any cookies with known risks or that are not included in your cookie policies or notices. They’ll also provide a report that contains an action plan that explains your current compliance posture and the steps you should take to improve.