As new data protection laws are introduced, so are new challenges. Claim farming occurs when parties submit claims for financial gain against targets unaware of data misuse and is on the rise in the UK. After navigating hardship related to COVID-19 and the increasing number of cyberattacks, UK businesses are now facing an additional exposure of claim farming using Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In the claims we have received so far, businesses weren’t aware of their exposure, which makes building awareness and creating a plan so critical for policyholders to protect themselves.
In some cases, businesses may be unaware that they are liable for misuse of personal data. If an individual visits their web page and notices that tracking cookies have been downloaded, they may submit a claim that the web page does not comply with regulations. The challenge is determining whether the individual making the claim deliberately sought out that web page for their own financial gain.
Third-party claims related to persistent tracking cookies being placed on personal devices without the consent of the owner are being mass generated. The argument is that tracking cookies are an intrusive contrary to GDPR and as no consent was given to placement of the tracking cookie, the claimant can seek financial compensation.
Serial claimants’ correspondence usually quotes Regulation 2(1) of Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which references “consent by a user or subscriber corresponds to the data subject’s consent in the GDPR.” Recital 32 of the GDPR states: “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.
The process for policyholders
If a breach is detected based on the guidelines above, the policyholder is notified of the installation of tracking cookies and is invited to submit a claim under any appropriate Insurance cover they have in place. A claim is passed to insurers, then to a handler who is provided with evidence of both the installation and the persistence of the tracking cookies, usually in the form of a video recorded from the claimant’s device.
The claim may reference:
- the alleged web page installing tracking cookies
- proof of persistence of the tracking cookies
- how the tracking cookies create a unique identifier, which tracks internet behaviour in contravention of Regulation 6(1) of PECR
- failure to provide the claimant with clear and comprehensive information about the purposes of these cookies, in contravention of Regulation (6)(2)(a) of PECR
- failure to obtain consent to use the cookies in contravention of Regulation 6(2)(b) of PECR;
- failure to process personal data in a fair, lawful and transparent manner in contravention of Article 5 of the GDPR
During claim discussions, the threat is made that if the issue is not resolved to the satisfaction of the claimant, details will be passed to the Information Commissioner Office (ICO). The ICO can exercise their enforcement functions under Regulation 32 of the PECR, that a personal liability for breaches of PECR exists by virtue of Regulation 2(3) of The Privacy and Electronic Communications (Amendment) Regulations 2018. Correspondence usually concludes with the request for a payment in the form of financial compensation for the above lack of consent following receipt of which notification to the ICO will not be pursued.
For insurers, brokers and policyholders, it’s essential to understand the impact of not having cookie consent acceptance on web pages. Whether the business is aware or not, they may still be at fault, and as such, responsible for providing financial compensation to the claimant. Building awareness around claim farming and creating a plan can protect innocent parties from third-party claims such as this.