With the acceleration of the digital working society, remote working and home working the internet has exploded and the appetite for shared data has grown to a level that regulation is finding hard to keep relevant.
Cookies (first-party cookies and third-party cookies) are no exception and some people out there are trying to exploit this demand and use the regulation for their own financial gain.
Like the ’80s and early 90s insurance companies were inundated with claims for whiplash. People were causing drivers to crash into the back of their vehicles or even faking the accident altogether to put in a claim of whiplash.
Why? Because the insurance company paid out a fixed sum, in the region of £2000 for every case, without really investigating it.
It would have cost more to investigate than just pay the compensation. The ‘Cookie Law’, ePrivacy directive and PECR together with GDPR, UK GDPR etc. Have all in them a right for the data subject to claim compensation against a data controller for misuse or an infraction of their rights.
They have the right to complain to the commissioner or even take their own civil action against the data controller. Breaching a data subject’s rights can be a costly time for a company, not only financially but time lost from ‘normal business activities’ and repetitional damage.
What is happening?
Some companies and customers of CookieScan have received letters from people who have used their websites claiming that the website loaded cookies onto the device (computer or mobile device) used by the site visitors without visitor consent.
One of our customers received one of these letters outlining the time and date the site was visited and the cookies that were loaded without consent, a screenshot of the cookie banner showing categories of cookies turned off and a screenshot of the device system showing the presence of cookies loaded by our customer’s website.
The author of the letter very kindly quotes the ePrivacy regulation and finishes with the demand for compensation of £500 or a complaint will be made to the information commissioner.
This is a small, but growing e-commerce company that firstly does not need to be accused of being in breach of the law, secondly does not have the time to deal with these threatening, demanding letters and finally does not have the resources to understand what to do and how to deal with it.
So, the temptation is there to just pay. Especially when they are given what appears to be such strong evidence they have in fact loaded the cookies without consent.
What the Law says!
The law is clear on this point, the ePrivacy Regulation and PECR state that for non-essential cookies consent is required from the site visitor before the cookies are loaded onto the device of the visitor.
So any Marketing, Statistic (analytics cookies), user Preference or Unclassified cookies require consent and must be blocked from a domain level until the user has given consent for them to be allowed in or loaded onto the user’s device.
Essential cookies are cookies that are needed for the functionality of the website and do not require the user’s consent.
These are to allow the website to run and display fonts, colours, images, videos, shopping baskets etc. It is for the data controller to justify what is essential for the website to run.
The law also put an obligation on the data controller (website owner) to keep a record of consent or non-consents of the site users and be able to provide this record upon request.
Back to the demand, what did this company do?
This company had CookieScan™ as their cookie management system on their website, so they contact the help desk for CookieScan™. They asked CookieScan™ what they should do about this demand and if it was true that the cookie had been loaded onto this person’s device without consent.
CookieScan™ are not consultants but are experts on matters relating to cookies and the cookie laws.
The CEO of the company that owns CookieScan™, Comtech Solutions Limited, Paul Byrne, also owns a data protection compliance company called Propelfwd, based in Jersey, Channel Islands.
They are experts on data protection matters and are consultants, so CookieScan™ have fantastic resources to draw on to help their clients.
The team at CookieScan™ asked the company to go back to the complainant asking for their IP address and if they used different devices to enter the website?
What does CookieScan™ record?
CookieScan™ records the interaction with the banner for every user that visits the website. They record the IP Address, time and date and what choice was made for each category of the cookie, so Marketing, Statistic, Preference and Unclassified.
The Necessary (essential) are always on anyway so this is not recorded. The user is also given a unique reference number (URN). These records are retained by CookieScan™ for a period of 12 months.
The cookie the CookieScan™ placed on a user’s device stores information once they make their choices for cookies on the banner, and remembers the device (IP Address) not the person, so if they visit the site using a different device the banner will appear again for them to make a choice and a cookie will be loaded onto that device.
People get confused by this thinking ‘I have already told CookieScan™ what I want on this site, why ask me again.
This cookie has an expiry setting of six months. The law is clear that consent has to be renewed on a regular basis and at least every six months. CookieScan™ does this by re-consenting all site users every six months and refreshing the database of records held. Although the previous six-month record is retained for a defence of a claim.
Did we get anything back from our complaint?
A couple of weeks later the company received the additional information needed, the IP address of the person saying they had loaded cookies onto their device without consent and demanding compensation of £500 or a complaint would be lodged with the ICO.
They also confirmed that they had only used one device, so only provided one IP address.
The company sent this information to the CookieScan™ helpdesk, quoting the incident reference number given. Within 48 hours CookieScan™ provided a list of all the interactions that the IP addresses had with the website, since first visiting the website.
The information provided included time and dates visited, consent given to categories of cookie when consent had been removed and given again etc.
The most valuable information for the company was on the day this person claimed the company loaded cookies without consent.
How did CookieScan™ save the day?
On the day this person claimed cookies had been loaded without consent, CookieScan™ were able to provide evidence to the company to show the person visited the site and gave consent to Marketing, Statistic and Preference Cookies.
They did not give consent to Unclassified cookies. One hour later that same day the individual went back to the site and changed their cookie preference, removing consent for all categories of cookies.
The alleged evidence they sent to the company showing the cookies on the device and a screenshot of the cookie banners with all categories of cookie consent turned off was all correct at the time, but the screenshot of the device showing the presence of cookies was before they had re-cached the device, after changing the cookie preferences on the website.
The evidence CookieScan™ provided was able to show the deceit and build up to the deception/attempted fraud by this person when claiming cookies had been loaded onto their device without consent.
The evidence they provided was compelling but false.
The company contacted the person with the information provided by CookieScan™ and told the person that the information they had provided was inaccurate and that their device had not been re-cached after they changed their preference an hour earlier.
Did not accuse them of any criminal behaviour but invited them to go ahead with a complaint to the ICO if they still felt if necessary.
They have heard nothing since, that was several months ago.
What is the lesson to learn?
Without the evidence to show how you manage cookies a claim like the one we have explained above is very hard to defend.
You will be left with two choices, pay the compensation that has been demanded or allow the complaint to go to the data protection authorities knowing that you are not complying with the data protection laws, cookie laws or the guidance of the European Data Protection Board.
The placement of a third party cookie on a user’s device does collect personal data even when valid consent is given.
Clear and comprehensive information must be provided to the user about the provider of the cookie, its purpose, the expiry date and the category it falls in.
It is vital that a website owner is able to show when a user has given consent to cookies being loaded onto their devices.
CookieScan can help with false claims
CookieScan is the total cookie management system for your website and has many benefits, such as:
- CookieScan™ records every user’s interaction with the cookie banners so can provide evidence of consent or not.
- CookieScan categories the cookies into Necessary, Marketing, Statistical, Preference, and Unclassified.
- Scans the website every month for new cookies, but allows unlimited manual scans
- Creates an updated Cookie Notice, listing all the cookies used on the website.
- With the Geo-location feature activated CookieScan recognised the country the website is viewed in and displays the appropriate cookie banners for that country’s cookie laws.
- Data Privacy request feature so the website user’s can contact the site owners and enforce their data protection rights, like submit a data subject access request. Shows total accountability on the website owner’s behalf.
- CookieScan will keep your website Globally cookie law compliant.