Data Breach And Cookie Monster Claims

Written By David Robertson

Previously on Tech-Nicks

In our previous article Nick Goodchild explained what cookies are and set out the steps needed to comply with the applicable regulations (GDPR & PECR).  But what happens if you ‘Get It Wrong’ and breach the regulations?  Nick Parkinson has the answers…

Can We Be Sued For Compensation?

Potentially, yes!  Let’s say an employee sends an e-mail, which includes personal data such as passport details, to customer A instead of customer B by mistake.  That would be a breach of the regulations and may well cause customer B distress.  Customer B may have grounds to bring a claim for compensation and legal costs.  Such mistakes by employees are inevitable from to time, but what about the risk posed by operating a website that ‘Gets Cookies Wrong’?

Getting Cookies Wrong

Let’s say someone visits your website and one or more ‘non-essential cookies’ are deployed on their device without consent.  That would be a breach of the regulations and, in principle, the visitor could bring a claim against you for any distress caused!  This seems like a very minor and technical breach of the rules with ‘no harm done’ right?  Well, this is where the ‘Cookie Monsters’ come in…

Introducing Cookies Monsters

Various ‘Cookie Monsters’ have made an impression in the travel industry for making claims for compensation due to Cookies being deployed on their device without their permission.  Their typical MO is to:

  • Record a video showing them visit your website

  • Show what cookies are installed on their device before visiting the site

  • Show what cookies are installed after entering the site

  • Show that one or more of the cookies (usually ‘tracking cookies’) require express consent which was not provided

They will also provide lots of ‘clever looking’ legal analysis which explains why you now owe them lots of compensation and legal costs for the distress caused.  So what can you do when faced with such a situation?

How To Defend Such Claims?

First we have to consider the facts.  Is what they say actually correct?  In the first example above, have you accidentally disclosed ‘personal data’ to the wrong customer from which they can be identified?  For the second example, did your website deploy ‘non-essential cookies’ on their device without consent?

The second aspect to consider is whether the visitor/customer has genuinely suffered distress as a result of the breach?  Alternatively, is this some sort of scam where Cookies Monsters, for example, are ‘looking for breaches’ and sending out claim letters en-masse to ‘see what bites’?

What About Legal Costs?

Even if you accept fault and agree to pay some compensation, you are not necessarily obliged to pay their legal costs in full.  There is a new ‘fixed costs’ regime which limits the amount they are entitled to recover from you.  This figure is calculated based on the amount of compensation agreed and at what stage of the court process settlement was agreed. 

Can Techlaw Help?

Of course!  We have helped many of our clients in the travel industry to defend claims for a ‘Data Breach’ or ‘Cookie Misuse’ under the GDPR or PECR regulations.  If you receive such a claim, make sure you get in touch so that we can guide you to the best possible outcome!

Next Up

Nick G will be providing some key tips on technology contracts and the importance of specifications.

David Robertson
Next

Data and GDPR Webinar series