Data Breach and Cookie Monster claims

This article on Cookie Policies is Part 2 of a series of articles on all things tech related.  Nick Goodchild will bring his expertise to the table from a commercial point of view whereas Nick Parkinson will be looking at things from a litigation perspective.  Together, they are Tech-Nicks!

In our previous article Nick Goodchild explained what cookies are and set out the steps needed to comply with the applicable regulations (GDPR & PECR).  But what happens if you ‘Get It Wrong’ and breach the regulations?

Potentially, yes!  Let’s say an employee sends an e-mail, which includes personal data such as passport details, to customer A instead of customer B by mistake.  That would be a breach of the regulations and may well cause customer B distress.  Customer B may have grounds to bring a claim for compensation and legal costs.  Such mistakes by employees are inevitable from to time, but what about the risk posed by operating a website that ‘Gets Cookies Wrong’?

Let’s say someone visits your website and one or more ‘non-essential cookies’ are deployed on their device without consent.  That would be a breach of the regulations and, in principle, the visitor could bring a claim against you for any distress caused!  This seems like a very minor and technical breach of the rules with ‘no harm done’ right?  Well, this is where the ‘Cookie Monsters’ come in…

Various ‘Cookie Monsters’ have made an impression in the travel industry for making claims for compensation due to Cookies being deployed on their device without their permission.  Their typical MO is to:

  • Record a video showing them visit your website
  • Show what cookies are installed on their device before visiting the site
  • Show what cookies are installed after entering the site
  • Show that one or more of the cookies (usually ‘tracking cookies’) require express consent which was not provided

They will also provide lots of ‘clever looking’ legal analysis which explains why you now owe them lots of compensation and legal costs for the distress caused.  So what can you do when faced with such a situation?

First we have to consider the facts.  Is what they say actually correct?  In the first example above, have you accidentally disclosed ‘personal data’ to the wrong customer from which they can be identified?  For the second example, did your website deploy ‘non-essential cookies’ on their device without consent?

The second aspect to consider is whether the visitor/customer has genuinely suffered distress as a result of the breach?  Alternatively, is this some sort of scam where Cookies Monsters, for example, are ‘looking for breaches’ and sending out claim letters en-masse to ‘see what bites’?

Even if you accept fault and agree to pay some compensation, you are not necessarily obliged to pay their legal costs in full.  There is a new ‘fixed costs’ regime which limits the amount they are entitled to recover from you.  This figure is calculated based on the amount of compensation agreed and at what stage of the court process settlement was agreed. 

Of course!  We have helped many of our clients in the travel industry to defend claims for a ‘Data Breach’ or ‘Cookie Misuse’ under the GDPR or PECR regulations.  If you receive such a claim, make sure you get in touch so that we can guide you to the best possible outcome!

Looking ahead, in Part 3 of our series of ‘Tech-Nicks’ articles, technology contracts and the importance of specifications.

We hope you found this Article useful, and if you would like advice or help drafting your own Cookie Policy, please contact us using the details below

This article was originally published on: 9 February 2024

Latest news

Judgment Highlights Why You Need to Keep Your Conditions Up to Date

A recent Judgement has highlighted the significance of keeping your travel businesses’ Terms and Conditions up to date, explains our…

Find out more

Did Significant Changes Just Get More Significant?

In this article Nick Parkinson explores how the recent decision in Sherman –v- Reader Offers puts organisers at risk of…

Find out more

Let’s Get One Thing Straight #3 – Cooling Off Periods

Does the 14-day ‘Cooling Off Period’ apply to Travel and Leisure? Anna Wendel settles the debate in this, the third…

Find out more