The short answer is yes!
In Lloyd v Google, Mr Lloyd sought to bring a representative action against Google LLC on behalf of millions of Apple iPhone users, alleging that Google had collected data from users of Apple’s Safari browser without their knowledge or consent in breach of its obligations as a data controller under the Data Protection Act 1998 (DPA).
The Supreme Court considered whether damages were recoverable under the DPA for loss of control of data alone where there was no identifiable damage or distress. Section 13 of the DPA provided that an individual was only entitled to compensation where “damage” or, in certain specific circumstances, “distress” was suffered as a result of the breach.
Supreme Court judgment
The Supreme Court held that for an individual be compensated under the DPA, they would have to show “some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.”
The Supreme Court rejected this approach, ruling that “damage” was intended to be limited to material damage (such as financial loss) and distress distinct from, and caused by, unlawful processing of personal data in breach of the DPA.
Implications for cookie-related data breach claims
Such claims are usually framed very broadly without any specific detail as to the “damage” or “distress” alleged to have been caused by the unauthorised use of non-essential cookies. Although it is still good practice for companies to ensure that visitors to their website can opt in or out of any non-essential cookies so as to ensure compliance with the PECR and the GDPR, the Lloyd v Google judgment should assist in defending cookie-related data breach claims which appear opportunistic in nature and in which a claimant fails to demonstrate any material damage or distress caused as a result of the cookie usage.
Please click here for a more detailed analysis of the Supreme Court judgment in Lloyd v Google.
David Healey, Trainee Solicitor, BLM