Does Lloyd v Google decision affect data protection claims regarding the use of cookies on websites

24 Nov 2021

The short answer is yes! 

Background

In Lloyd v Google, Mr Lloyd sought to bring a representative action against Google LLC on behalf of millions of Apple iPhone users, alleging that Google had collected data from users of Apple’s Safari browser without their knowledge or consent in breach of its obligations as a data controller under the Data Protection Act 1998 (DPA). 

The Supreme Court considered whether damages were recoverable under the DPA for loss of control of data alone where there was no identifiable damage or distress. Section 13 of the DPA provided that an individual was only entitled to compensation where “damage” or, in certain specific circumstances, “distress” was suffered as a result of the breach. 

Supreme Court judgment

The Supreme Court held that for an individual be compensated under the DPA, they would have to show “some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.”

The claimant had argued that (i) “damage” included “loss of control” over personal data and (ii) that interference with a claimant’s rights constituted “damage”.  This is frequently the type of “damage” alleged in data breach cases relating to unauthorised use of cookies on websites. 

The Supreme Court rejected this approach, ruling that “damage” was intended to be limited to material damage (such as financial loss) and distress distinct from, and caused by, unlawful processing of personal data in breach of the DPA.   

Implications for cookie-related data breach claims

The Supreme Court judgment in Lloyd v Google will provide assistance for those facing claims by individuals claiming compensation under data protection legislation. As a result of the decision it is clear that loss of control of data will not be enough to support a claim. Individuals bringing data breach claims after visiting a company’s website which uses cookies without their consent may struggle to demonstrate they have suffered any (or sufficient) “damage” or “distress”.

Such claims are usually framed very broadly without any specific detail as to the “damage” or “distress” alleged to have been caused by the unauthorised use of non-essential cookies. Although it is still good practice for companies to ensure that visitors to their website can opt in or out of any non-essential cookies so as to ensure compliance with the PECR and the GDPR, the Lloyd v Google judgment should assist in defending cookie-related data breach claims which appear opportunistic in nature and in which a claimant fails to demonstrate any material damage or distress caused as a result of the cookie usage.     

Please click here for a more detailed analysis of the Supreme Court judgment in Lloyd v Google.

 

David Healey, Trainee Solicitor, BLM
david.healey@blmlaw.com

 

<< Back

Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.

Related Expertise


Related contacts


Tim Smith

Tim Smith

Partner and Head of TMT & Cyber Practice Group,
London


Who to contact


For more information about any of our news releases, please contact:

Natalie King
 +44 20 7638 2811
+44 20 7920 0361
Email Natalie

Jo Murray
+44 20 7638 2811
+44 20 7865 4849
Email Jo

|

Not what you are looking for? Click here!