business woman working from home, looking at piece of paper (concept, looking at a cookie complaint) with a laptop and papers on a desk, with bookcase in background

In recent years and in response to an increased public awareness of their privacy rights, the number of cookie complaints has grown.

Our team has seen an increase in threats of civil claims to businesses in relation to their cookie and tracking technology usage. In this article, we explain how to respond to a cookie complaint if you receive one.

Cookie law

Under the current UK data protection regime, you can only process non-essential cookies and other tracking technology on a user’s device if they have given explicit consent. Businesses are permitted to use cookies and tracking technologies that are strictly necessary – however, this definition has narrow application.

Consent must be:

  • Freely given;
  • Specific;
  • Informed; and
  • Given by a clear affirmative action such as an opt in slider or tick box (that isn’t pre-ticked).

If such consent is not obtained and cookies are processed on the user’s device, you will be in breach of the user’s rights. You will also be in breach if you seek consent, but cookies are processed before, or irrespective of, the user’s consent.

What is a ‘cookie claim’?

An individual who has suffered material or non-material damage as a result of a breach has the right to compensation from the controller or processor for the damage suffered. This is additional to any enforcement action the Information Commissioner’s Office (ICO) may take against you in respect of your failure to comply with the law.

There is a growing trend of individuals contacting companies by email or letter claiming to exercise their rights in response to a breach. Often, they demand financial compensation and threat court proceedings should you fail to settle. The letters that we have seen are in substantially the same form indicating templates may be available online for public use.

Are these cookie complaints and threats legitimate?

It is important to remember that if consent has not been obtained, the individual is within their rights to complain to the ICO regarding the breach and also seek recourse against you in respect of that breach. The law is there to protect an individual’s right to privacy and so complaints should be treated as legitimate unless you have reason to suspect otherwise.

Sadly, we have seen examples of letters containing bogus or conflated allegations which cause businesses to panic.

How you respond should depend on the merit of the claim. This will involve looking at case law and the Information Commissioner’s stance on enforcement action.

What does the ICO enforcement policy say?

The ICO is responsible for data protection enforcement action under the UK and to date, there appears to be no significant enforcement action relating to cookies.

The ICO has a risk-based approach, and its guidance indicates that whilst it cannot rule out the possibility of formal action in any area, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.

What does case law say about cookie complaints?

The Supreme Court’s ruling in the recent case of Lloyd v Google confirmed that claimants can only obtain compensation for breaches of their statutory data privacy rights if they can evidence material damage or distress.

It confirmed that loss of control of personal data alone is not sufficient. It is important to note that this case was brought under the Data Protection Act 1998 as the incident occurred prior to enactment of the current data protection regime. It does however demonstrate valuable insight into the courts position that would help us decide whether a complaint has merit.

Working out whether damage or distress has occurred can be complex but recent caselaw under the current and former data protection regimes indicate that a breach involving “minimally significant information” or where the distress is trivial would not succeed.

What should you do if you receive cookie complaints?

Treat all complaints seriously. The above caselaw clearly states that if damage or distress is suffered, a claim can be successful. Review the complaint and be sure to rectify any breach as soon as you are made aware of it. Better yet, perform regular reviews of your website compliance to pre-empt any breach.

If you are in breach, take steps to assess the extent of the breach. Look out for any mentions of distress or damage in the individual’s letter of complaint. While it is possible that a trivial breach may not give the individual realistic grounds for a claim, you must not automatically make that assumption.

If you are unsure how to respond or believe the individual may have legitimate grounds for claim, we recommend seeking legal advice. You should not make any payments or payments in kind (such as gift vouchers or free products) in response to any cookie complaint without speaking to a legal advisor first.

Our experienced team of legal advisors offer comprehensive website compliance reviews to help you meet your legal obligations and avoid claims against you. We can also provide specific advice on complaints you may receive. If you have a website compliance or cookie law question, please do not hesitate to get in touch with our Data Protection team below.