Google Can be Sued Over Cookie UsageBy: Richard Beaumont | Wednesday, April 1, 2015 | Tagged: Cookie Profiles, Google | Leave Comment
A landmark decision by the UK Court of Appeal last week has opened the way for UK consumers to claim damages from Google over the setting of tracking cookies against users wishes. It could also clarify the question I posed just recently about the status of cookie profiles as personal data, which will have wide ranging consequences for the whole digital industry.
The particular case centred on code used by Google to bypass settings in Apple’s Safari browser designed to increase consumer privacy. Google has already paid out millions of dollars to consumers in the US, but tried to claim that the UK courts held no jurisdiction over its practices and also that there was no case for seeking damages because no financial harm had been suffered.
The decision made by the court was a complex one, but essentially they sided with the case against the search giant. A further case will have to be brought before any pay out actually gets decided on, however some very significant issues were clarified by the decision.
The first is that there should not need to be proof of financial loss in order to make a claim for damages as a result of a breach of privacy. This is a big issue, particularly because financial harm can be very difficult to prove in privacy cases.
As the decision states: “It is the distressing invasion of privacy which must be taken to be the primary form of damage… and the data subject should have an effective remedy in respect of that damage”
Also of note is that the case addressed the question head on of whether click stream data that is connected to a unique cookie identifier, can be considered personal data in UK law. The argument generally made about this is that because an individual is not directly identifiable from such data, it is not personal data.
However the judges saw the point that this data could be combined with other data that does then identify the individual. Whether or not such combination actually happens is immaterial – especially when the same data can and does change hands amongst many different parties over time.
Unfortunately the question was not settled in the decision, but it was clear that there was thought to be a strong case for settling that question, and that it ought to come down on the side of such data being personal data.
If that happens and pseudonymous behavioural profiles get classed as personal data, that will have very big implications for digital data collection practices.