We often come across new trends at RiskBox – and the latest seems to be requests for damages due to the unauthorised deployment of cookies on your website.

Previously, we’ve seen legal threats and demands for compensation when an exploitative company uses reverse image search to find agencies allegedly breaching intellectual property (IP) and claims for damages.

And we’re now seeing a similar practice with cookies. Organisations look for compensation from website owners for alleged infringements from the use of cookies.

Let’s take a look at what the latest cookie troll trend means for you, and what happens if you fall foul.

Disclaimer: Please note that this does not constitute legal advice. We always recommend you seek appropriate legal advice when dealing with third-party accusations.

What is the cookie troll? And what does it entail?

The so-called ‘cookie troll’ is when an exploitative company – set up specifically for this purpose – finds alleged cookie breaches on your website and claims for damages. While cookies should be used fairly and reasonably, some of the legal actions are borderline ridiculous – but that doesn’t mean they wouldn’t succeed in a court of law.

If this happens to you, you will likely receive a comprehensive email detailing the breach and how it has adversely impacted the claimant. You might also receive a letter expanding on how they have been affected after visiting your website.

You may face a mountain of legal terminology, with references to the Privacy and Electronic Communications Regulations (PECR), GDPR, and recent case law and guidance from the Information Commissioner Office (ICO). But don’t panic. The jargon is designed to convince you as they drop in large fines the ICO could levy for breaches.

Generally speaking, they request compensation for ‘damages’ with an offer of a without-prejudice settlement, plus timescales for response and payment, allowing you to avoid the painful and expensive process of legal action. This is followed up with reminders until their deadline.

The communications are often very templated but will usually include screenshots of your site and further evidence to reinforce their validity.

Of course, there are always a few genuine exceptions. But, in our experience, they’re generally trolls. They’ve existed for many years, with different faces – from image rights to patent rights – looking to enforce rights far beyond their value or the damage caused.

What do the experts say?

Paul Strout, Head of Specialist Data Risks Consultancy, GDPR Assist, said of the matter:

“I have seen a number of these claim letters from the same individuals who appear to be sending them en masse on an industrial scale. They can look intimidating, but it’s essentially a sales campaign by these individuals. I haven’t seen any that have progressed beyond a polite but firm rejection letter from the recipient organisation. They absolutely don’t want these cases to progress to court – it would be a challenge for them to prove any damage beyond the trivial.

The specific breach would be of the requirement to obtain consent to UK GDPR standards for the deployment of non-essential cookies such as popular analytics tools, this consent is required under PECR. No UK organisation has been fined by the ICO for breaching the PECR rules for cookies.

I would, however, say that you should act to ensure you are deploying your website cookies lawfully and, by doing so, demonstrate to your genuine visitors that you are deserving of their trust.”

Insurer involvement and response

Insurer involvement

Cookie claims would likely fall under a Professional Indemnity or Cyber Liability policy. Assuming you have suitable cover, insurers could step in to help.

Because the value of the demand is usually relatively low, the business often needs to consider given excesses that may be applied, and that are sometimes in excess of the demand itself. It may be a question of insurer involvement or seeking counsel to manage your position.

How does it work with the ICO?

When we’ve referred these matters to insurers in the past, they believed the cookie issue was unlikely to cause a risk to a person’s rights and freedoms. By Article 33.1 of the UK GDPR, you don’t have to notify the supervisory authority (ICO) in such circumstances.

As the ICO is a statutory public regulatory body, it has certain statutory powers which include imposing administrative fines and penalties. But the ICO doesn’t make the law, and there are always rights of appeal against any decision the regulator makes.

Complaints about cookies by data subjects are first referred to a case officer, who will usually write to the data controller for information. The ICO normally uses standard-form precedent letters then makes an assessment depending on the information received. In most cases (except severe breaches of the UK GDPR), the ICO will simply issue a letter of non-compliance with some advisory steps.

So, does a letter of non-compliance mean compensation for the claimant?

If the ICO issues a letter of non-compliance, the claimant might take it as proof that they have a right to compensation, strengthening their resolve to seek damages. However, that’s not technically correct. While the judges normally accept the ICO’s decision as evidence of infringement, it’s not the end of the matter.

The court must determine whether the evidence suggests the claimant has actually suffered loss, which is a separate issue, assessed by different legal criteria and based on live or written evidence in a court hearing.

It’s possible for the small claims track of the local county court to issue proceedings, but the claimant would have to pay a fee relative to the quantum claimed, which might deter them.

Actions to consider

The best course of action is to review your internal cookie policy and make sure you follow best practices. It might also help to seek advice from a suitably qualified individual – like Paul Strout from GDPR Assist – to support you through this process.

It’s then your decision whether you respond to the demand, discuss a without-prejudice settlement, or ignore it, noting the other party may escalate matters.

Outcome

Given the likely volume of these requests, it would be interesting to see how many are taken further than the initial request and reminders. We suspect they’re often issued with the hope some stick – but without the validity to enforce them.

Speak to RiskBox

If you’re concerned about the cookie troll, we’re happy to discuss it in more detail. Contact our team today on 0161 533 0411. Alternatively, email us at info@riskboxuk.com or fill in our online contact form, and we’ll get back to you.

Photo by Mark König on Unsplash