Marketing and data go hand in hand and every action is informed or measured through data. Businesses want to know who opened what marcoms; who visited what pages; or who bought product x and product y to allow them to make future marketing more effective. They want more intelligent sales data and a better understanding of their core shopper demographics and purchasing habits so that they can ensure they are getting the right messages to them. The right data allows targeting, it allows better and more effective marketing spend and that should drive obvious return on investment through sales or another tangible metric.
Given the high profile, and expensive, consequences of getting it wrong, understanding the art of the possible and deep collaboration between legal, marketing, sales and other teams developing campaigns is essential. This is particularly important where the data and insights you covert require someone to transact in respect of their privacy. This is illustrated by one of the most prominent themes from 2021, the meteoric rise of cookie-related claims.
Last year, we saw numerous claims where complainants (including known privacy activists) used basic online tools to identify and illustrate potential gaps in compliance with cookie laws (e.g. the Directive on privacy and electronic communications ("PEC")). Many of the complainants are actively searching the web for non-compliance, then making claims where they find it, often alleging they have been caused distress through the non-compliant use of cookies (i.e. 'ambulance chasing'), and with business actively chasing valuable data and sometimes not collaborating as they should, there have been a number of examples of issues arising.
Direct marketing
Consumer businesses wish to provide a positive and engaging experience to customers and prospective customers through their marketing and legal requirements can often seem like they conflict with or block those marketing objectives. However, if navigated effectively, quality marketing can generate tangible data and insights whilst simultaneously meeting the requirements of PEC and the GDPR. We have set out three key points to consider when tackling this issue:
- Understand the customer journey, end to end. To consider the specific, immediate marketing activity in question can often create a fragmented approach to the customer journey. Make sure the specific mechanism operates in a user-friendly way and doesn't unnecessarily add steps to the process, which could negatively impact the customer experience. We often see well-intended processes not delivering the expected results due to a disconnect between the marketing and technical teams rushing to deploy a new tool and the legal/privacy teams only being able to provide fragmented advice on how to meet the legal requirements. A good example of this is in relation to the presentation of privacy information on mobile applications.
- Think ahead. Draft notices and consent requests with anticipated activities in mind. Ensure notices and consent statements encompass (genuine) business objectives, but beware of bundling multiple consents together. We often see challenges for clients that have good levels of transparency in their notices, but haven't defined all the different purposes of processing, e.g. the full use of cookies and other tracking technologies.
- Consent has a high bar, make sure you meet all the conditions. The GDPR and relevant regulatory guidance set out the various elements of obtaining valid consent. However, it is still an area where we are frequently seeing issues, which can have significant implications on business objectives. For example, a large customer marketing database that relies on processing on the basis of consent, may not be used if it is determined that such consent was not validly obtained.
Cookies (and other tracking technologies)
We expect that 2022 will see the continuing rapid increase in cookie-related claims. These cookie claims are being made by numerous individuals (some of whom we see often across different matters) who assert that cookies and other tracking technologies have been placed on their device without their consent to do so. The claims often request compensation for loss of control of data obtained through the use of cookies and the subsequent distress caused as a result. Many go on to threaten litigation if no settlement is made.
The complainants we have seen frequently suggest a company has placed cookies without consent, in breach of PEC requirements, and that any subsequent processing of personal data derived from the use of such cookies are unlawful under the GDPR. PEC requirements state that websites need to obtain consent prior to placing any cookies on users' devices unless they are deemed 'strictly necessary' (i.e. the website simply would not function without them). As most people are now aware, websites often display 'cookie banners' when users access the website. The banner often invites users to consent to the use of cookies as well as providing further information on the website's cookie policy and preferences. Despite their ubiquity, we still see a number of issues with consent language contained in cookie banners. The banners often fail to meet the conditions required to meet the GDPR standard (which the PEC standard is now aligned to). Any cookies dropped containing personal data (e.g. an online identifier) without valid consent may also breach the GDPR's fair and lawful processing principle.
Given the public-facing nature of cookies, plus the fact that online tools are readily available to scan websites for cookies, it is very easy for an individual to check if an organisation is compliant with cookie laws. There has also been an increase in public awareness of cookie laws, as a result of media coverage of high-profile cases, regulatory action and government soundbites in respect of the legislation. This has contributed to the contentious environment we are seeing, with high levels of adverse scrutiny i.e. the large uptick in claims by individuals and increased interest from data regulators. There is also a fast growing market of claimant law firms looking for the next big thing, seizing on this area and commoditising these claims. They are seeking to obtain compensation using the same precedent claim letters again and again. Given some of these scrutineers are privacy activists, companies should take care when handling such claims, they have a habit of multiplying. That multiplication is not going to stop any time soon.
We recognise that cookie banners can be annoying, but will not be going away until there is a significant change in law, therefore it is important for companies using cookies to ensure they do so in a compliant way, or be prepared to face claims or potential enforcement action.
If you have received any of these claims or if you would like to discuss these issues, please contact Shervin Nahid or Julia Layton or find out more about our Data Protection and Cyber Security team.