This blog was originally published in Insurance Day, October 2022.
In recent years, there have been concerns over the data privacy implications arising from the use of cookies.
Anyone who regularly uses a computer will be all too familiar with cookie consent pop-ups, which appear when opening a web browser and seek users’ express consent to allow cookies to be used.
Cookies - small text files that websites place on a computer while browsing – are typically used to track activity and facilitate targeted content, including advertisements.
In recent years there have been concerns about the data privacy implications arising from their use, resulting in robust action taken by data protection authorities. As complaints and individual claims arising from pop-ups become more frequent across the EU and the UK, their continued use comes with an increased risk of enforcement action and compensation claims, including the potential for group litigation.
The EU’s General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive, also known as the e-Privacy Directive, govern the use of cookies and pop-ups. While the GDPR contains minimal express reference to cookies, by contrast the e-Privacy Directive, dubbed 'the cookie law', requires a web user’s clear and unambiguous consent before any cookies are used, except for those that are strictly necessary.
Both regimes are implemented into UK law. However, the UK Government’s recently proposed Data Protection and Digital Information Bill indicates future divergence from the EU framework, including a lowered threshold for consent in certain circumstances where it would not be required, such as to enable software updates. While many in the tech industry have welcomed getting rid of what is perceived to be unnecessary 'red tape', privacy campaigners have warned against it, raising concerns web users could be exposed to an increased risk of identity theft or fraud.
In February 2022, the Belgian Data Protection Authority (BDPA) found pop-ups are in breach of the GDPR, ruling the Transparency Consent Framework (TCF), developed by the Interactive Advertising Bureau Europe (IAB Europe) to enable publishers to inform and obtain consent from web users regarding the processing of their personal data to facilitate targeted advertisements by adtech companies, was not GDPR-compliant. It highlighted a number of breaches, including failures to keep personal data secure and confidential and properly request consent regarding its use.
IAB Europe was fined €250,000 and ordered to make a corrective action plan, including changes to the TCF, within two months. The BDPA’s ruling followed similar rulings issued by the French Data Protection Authority in December 2021, which imposed a cumulative fine in excess of €200 million on Google and Facebook (now Meta) in relation to similar cookie-related infringements and GDPR violations.
On appeal by IAB Europe, the Belgian Market Court (BMC) ruled the BDPA did not properly investigate the facts and allegations made. However, the appeal remains suspended pending the BMC’s referral of preliminary questions to the Court of Justice of the EU (CJEU), including how the concept of data controllership in the GDPR is to be interpreted.
As the BMC’s final decision is unlikely to come before 2023, potential data privacy risks arising from pop-ups remain a live concern for businesses operating in the adtech ecosystem, and their insurers.
In terms of implications for insurers, the continued use of the TCF and similar technologies could give rise to future investigations by data protection authorities, resulting in fines or penalties and the resulting legal costs. Such legal costs are typically covered by cyber insurance policies, although that is not necessarily the case for fines or penalties issued under the GDPR and/or UK GDPR. While some policies expressly exclude cover for fines, others provide cover “to the extent insurable by law”.
Notwithstanding the CJEU’s pending preliminary ruling, the robust stance taken by EU data protection authorities provides a foundation for future class action litigation in relation to the unlawful use of pop-ups, as exemplified by the data privacy class action in the Netherlands against Oracle and Salesforce entities on behalf of 10 million Dutch internet users.
Although the action was ultimately dismissed because of procedural formalities, the court did not close the door on future litigation in this area. This risk is amplified further as EU Member States gradually transpose the EU Collective Redress Directive – which lists the GDPR and the e-Privacy Directive as EU laws in respect of which a representative action may be filed – into their national laws.
Similar data privacy actions were also commenced in the UK against Oracle and Salesforce. Whilst there are indications that this action may be dropped due to reported legal uncertainty surrounding privacy class actions following the Supreme Court judgment in Lloyd v Google [2021], the risk of class actions in relation to cookie infringements remains live as claimants and their funders continue to test the courts in the data privacy sphere and in light of the evolving data protection regulatory framework.
Looking ahead, insurers should ensure companies’ online advertising systems that involve the processing of personal data are GDPR-compliant and that web users are provided with clear and unambiguous information about how their data will be used and processed to ensure valid and informed consent is obtained.