Data Breach and Cookie Monster claims

This article on Cookie Policies is Part 2 of a series of articles on all things tech related.  Nick Goodchild will bring his expertise to the table from a commercial point of view whereas Nick Parkinson will be looking at things from a litigation perspective.  Together, they are Tech-Nicks!

In our previous article Nick Goodchild explained what cookies are and set out the steps needed to comply with the applicable regulations (GDPR & PECR).  But what happens if you ‘Get It Wrong’ and breach the regulations?

Potentially, yes!  Let’s say an employee sends an e-mail, which includes personal data such as passport details, to customer A instead of customer B by mistake.  That would be a breach of the regulations and may well cause customer B distress.  Customer B may have grounds to bring a claim for compensation and legal costs.  Such mistakes by employees are inevitable from to time, but what about the risk posed by operating a website that ‘Gets Cookies Wrong’?

Let’s say someone visits your website and one or more ‘non-essential cookies’ are deployed on their device without consent.  That would be a breach of the regulations and, in principle, the visitor could bring a claim against you for any distress caused!  This seems like a very minor and technical breach of the rules with ‘no harm done’ right?  Well, this is where the ‘Cookie Monsters’ come in…

Various ‘Cookie Monsters’ have made an impression in the travel industry for making claims for compensation due to Cookies being deployed on their device without their permission.  Their typical MO is to:

  • Record a video showing them visit your website
  • Show what cookies are installed on their device before visiting the site
  • Show what cookies are installed after entering the site
  • Show that one or more of the cookies (usually ‘tracking cookies’) require express consent which was not provided

They will also provide lots of ‘clever looking’ legal analysis which explains why you now owe them lots of compensation and legal costs for the distress caused.  So what can you do when faced with such a situation?

First we have to consider the facts.  Is what they say actually correct?  In the first example above, have you accidentally disclosed ‘personal data’ to the wrong customer from which they can be identified?  For the second example, did your website deploy ‘non-essential cookies’ on their device without consent?

The second aspect to consider is whether the visitor/customer has genuinely suffered distress as a result of the breach?  Alternatively, is this some sort of scam where Cookies Monsters, for example, are ‘looking for breaches’ and sending out claim letters en-masse to ‘see what bites’?

Even if you accept fault and agree to pay some compensation, you are not necessarily obliged to pay their legal costs in full.  There is a new ‘fixed costs’ regime which limits the amount they are entitled to recover from you.  This figure is calculated based on the amount of compensation agreed and at what stage of the court process settlement was agreed. 

Of course!  We have helped many of our clients in the travel industry to defend claims for a ‘Data Breach’ or ‘Cookie Misuse’ under the GDPR or PECR regulations.  If you receive such a claim, make sure you get in touch so that we can guide you to the best possible outcome!

Looking ahead, in Part 3 of our series of ‘Tech-Nicks’ articles, technology contracts and the importance of specifications.

We hope you found this Article useful, and if you would like advice or help drafting your own Cookie Policy, please contact us using the details below

This article was originally published on: 9 February 2024

Latest news

Package Travel Consultation Deep Dives #2: Potential Changes to the definition of ‘Other Tourist Services’

In this, the second article in our deeper dive into various aspects of the proposed amendments to the UK’s package…

Find out more

The re-birth of Employment Tribunal fees?

This week the Ministry of Justice launched a consultation into the re-introduction of fees for employment tribunal claims and appeals…

Find out more

Holiday Pay and Accrual – Key Changes You Need to Know!

On the 1 January 2024 new laws came into force regarding holiday pay and the calculation of holidays, and these…

Find out more