This article on Cookie Policies is Part 2 of a series of articles on all things tech related. Nick Goodchild will bring his expertise to the table from a commercial point of view whereas Nick Parkinson will be looking at things from a litigation perspective. Together, they are Tech-Nicks!
Previously on Tech-Nicks
In our previous article Nick Goodchild explained what cookies are and set out the steps needed to comply with the applicable regulations (GDPR & PECR). But what happens if you ‘Get It Wrong’ and breach the regulations?
Can We Be Sued For Compensation?
Potentially, yes! Let’s say an employee sends an e-mail, which includes personal data such as passport details, to customer A instead of customer B by mistake. That would be a breach of the regulations and may well cause customer B distress. Customer B may have grounds to bring a claim for compensation and legal costs. Such mistakes by employees are inevitable from to time, but what about the risk posed by operating a website that ‘Gets Cookies Wrong’?
Getting Cookies Wrong
Let’s say someone visits your website and one or more ‘non-essential cookies’ are deployed on their device without consent. That would be a breach of the regulations and, in principle, the visitor could bring a claim against you for any distress caused! This seems like a very minor and technical breach of the rules with ‘no harm done’ right? Well, this is where the ‘Cookie Monsters’ come in…
Introducing Cookies Monsters
Various ‘Cookie Monsters’ have made an impression in the travel industry for making claims for compensation due to Cookies being deployed on their device without their permission. Their typical MO is to:
- Record a video showing them visit your website
- Show what cookies are installed on their device before visiting the site
- Show what cookies are installed after entering the site
- Show that one or more of the cookies (usually ‘tracking cookies’) require express consent which was not provided
They will also provide lots of ‘clever looking’ legal analysis which explains why you now owe them lots of compensation and legal costs for the distress caused. So what can you do when faced with such a situation?
How To Defend Such Claims?
First we have to consider the facts. Is what they say actually correct? In the first example above, have you accidentally disclosed ‘personal data’ to the wrong customer from which they can be identified? For the second example, did your website deploy ‘non-essential cookies’ on their device without consent?
The second aspect to consider is whether the visitor/customer has genuinely suffered distress as a result of the breach? Alternatively, is this some sort of scam where Cookies Monsters, for example, are ‘looking for breaches’ and sending out claim letters en-masse to ‘see what bites’?
What About Legal Costs?
Even if you accept fault and agree to pay some compensation, you are not necessarily obliged to pay their legal costs in full. There is a new ‘fixed costs’ regime which limits the amount they are entitled to recover from you. This figure is calculated based on the amount of compensation agreed and at what stage of the court process settlement was agreed.
Can Travlaw Help?
Of course! We have helped many of our clients in the travel industry to defend claims for a ‘Data Breach’ or ‘Cookie Misuse’ under the GDPR or PECR regulations. If you receive such a claim, make sure you get in touch so that we can guide you to the best possible outcome!
Next Up
Looking ahead, in Part 3 of our series of ‘Tech-Nicks’ articles, technology contracts and the importance of specifications.
We hope you found this Article useful, and if you would like advice or help drafting your own Cookie Policy, please contact us using the details below
This article was originally published on: 9 February 2024
