Businesses are having claims made against them by individuals who are alleging that their data rights have been breached when visiting the company’s website. The claims suggest that ‘cookies’ were used without their consent.
What are cookies?
Cookies are text files with small pieces of data that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience. Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique to you and your computer. When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
What is the law on using cookies?
Contrary to popular belief, the Cookie Law was not repealed by the GDPR and still applies as of October 2021.
- The Cookie Law requires users’ informed consent before storing or accessing information on user’s devices.
- Consent to cookies must be freely given, specific, informed, and based on an explicit affirmative action; many EU Data Protection Authorities have released guidance on cookies and similar technologies that include advice and recommendations on valid methods to obtain consent.
- While the Cookie Law does not explicitly require that records of consent be kept, in most cases cookies do process personal data, which is why the record-keeping requirements stemming from the GDPR apply. Hence the vast majority of Data Protection Authorities (also referred to as DPAs) across the EU have aligned their cookie rules to GDPR requirements.
- The Cookie Law does not require that you list cookies one by one, only that you state their type, usage and purpose.
- If you use third-party cookies both you and the third-party are responsible for ensuring users are clearly informed and obtaining consent. As part of this obligation, you should always make sure to provide information about any such third-party and link to their respective privacy and/or cookie policies.
To meet these requirements, websites often display a ‘cookie banner’ when a user initially visits the website, giving them the option to give consent or restrict the use of cookies as well as providing information on the website’s cookie policy.
What Claims have been made?
An anti-fraud organisation has issued a warning as it investigates what it fears could be a widespread attempt to extort money from travel companies.
The Prevention of Fraud in Travel (Profit) group has received several reports of travel businesses receiving letters warning their websites’ usage of cookies is in breach of GDPR law and Privacy and Electronic Communications Regulations.The letter, claims to be from a senior GDPR and IT consultant and states that the claimant visited a travel company’s website and found that the site’s use of cookies was in breach of Privacy and Electronic Communications Regulations and the General Data Protection Regulation (GDPR – now enshrined in English law via the UK GDPR). It tells companies they have 21 days to pay £750 for loss of control, personal data and distress caused after the sender purports to have visited the recipients’ websites. Litigation has been threatened if no payment is made.
What can I do to protect myself?
The recent cookie-related data breach claims replicate claims that we’ve seen against a number of other businesses in the past. The claimant frequently does not explain why they were visiting a specific website and often it appears that they are doing so for the sole reason of creating a cookie-related data breach claim. The payout for a claim like this is usually relatively low, meaning that many companies will simply pay the money to avoid further conflict. All this does however, is increase the likeliness of more claims of this nature to be made.
It’s important for businesses to understand the types of cookies they’re using on their websites and ensure that there is a way for visitors to easily opt in or out of any cookies that are not essential. It’s also crucial to ensure that there is content on the website that provides sufficient information about the types of cookies they’re using and for what purpose they’re being used for.
The Future of Cookies
The UK Government has indicated that there could be changes made to the data rules post-Brexit which may include ditching cookie pop-ups. Any changes that are made are likely to be slow, so it’s a good idea to continue to deploy cookie pop-ups obtaining website visitors consent for the time being.