Recapping the Google Group Action: The Safari Cookie Exploit Explained

In the world of UK consumer rights, some of the most significant battles begin with what seems like a minor technicality. Few cases illustrate this better than the landmark group action against Google, a saga that started not with a dramatic data breach, but with a simple browser setting on iPhones. This ‘minor’ setting, designed to protect user privacy, became the centre of a legal earthquake when Google allegedly bypassed it, leading to one of the UK’s first major opt-out collective actions. The case didn’t just challenge a tech giant; it fundamentally reshaped the landscape for mass claims, paving a legal path now being followed by claimants against online casinos. Let’s revisit the Google Safari cookie exploit and unpack its enduring legacy for UK consumers.

What Was the ‘Safari Workaround’ and How Did It Work?

Between 2011 and 2012, Google implemented what became known as the ‘Safari Workaround’. At the time, Apple’s Safari browser on iPhones and other devices had a default privacy setting that blocked third-party cookies—tiny tracking files used by advertisers to follow users across the web. Google’s advertising arm, DoubleClick, relied on these cookies for its lucrative targeted ad business.

To circumvent Safari’s default blocking, Google engineered a workaround. It placed a temporary, innocuous-looking cookie that tricked Safari into thinking a user had interacted with a DoubleClick ad, even when they hadn’t. This deception switched Safari’s privacy settings ‘open’, allowing DoubleClick tracking cookies to be set without the user’s knowledge or consent. This covert tracking affected millions of UK iPhone users, harvesting data about their browsing habits for targeted advertising.

The practice was uncovered by a Stanford researcher in 2012, leading to a swift investigation by the UK’s data watchdog, the Information Commissioner’s Office (ICO). While the ICO did not issue a fine at the time, it confirmed Google’s actions were in breach of UK data protection law, setting the stage for a monumental legal challenge from affected consumers.

The UK Group Action: Who Led the Claim and Why?

In response to this systemic breach, a representative action was launched in the High Court under the banner ‘Google You Owe Us’. The claim was spearheaded by former executive director of Which?, Richard Lloyd, and backed by the renowned consumer champion Which?. They sought damages on behalf of an estimated 4.4 million affected Apple iPhone users in England and Wales.

The legal basis for the claim was the Data Protection Act 1998. Crucially, the claimants argued that they did not need to prove specific financial loss or distress. Instead, they based their case on the novel legal concept of ‘loss of control’ over personal data. They contended that Google’s secretive and unlawful collection and exploitation of sensitive browsing data constituted a wrongful act for which each member of the class deserved compensation. This approach was pivotal, as it meant a mass claim could proceed without needing to assess the individual circumstances of millions of people.

Key Legal Battles and the Supreme Court Ruling

Google fought the claim vigorously, attempting to have it struck out before it could reach trial. The company argued, among other points, that the claimants had not suffered any damage and that a representative action was not the suitable mechanism. After initial setbacks in the High Court and Court of Appeal, the case reached the Supreme Court of the United Kingdom in 2021.

The Supreme Court’s ruling was a landmark victory for collective redress. It overturned previous decisions and allowed the claim to proceed. The court made two critical findings:

• It confirmed that ‘loss of control’ of personal data could constitute actionable damage for which compensation could be awarded, even without proof of financial loss or distress.
• It established that a representative action could be brought on behalf of a large, defined class of individuals who had suffered the same wrongful act, even if the individual damages were small.

This ruling shattered a significant barrier to mass consumer claims in the UK, validating the opt-out model where individuals are included in a claim unless they choose to opt out.

Comparing the Google Case to Modern Gambling Group Actions

The legal framework tested in the Google courtroom is now being directly applied to a new frontier of consumer claims: the iGaming sector. Today, we see mass claims forming against major online casino operators like Flutter Entertainment (owners of Paddy Power and Betfair) and Entain (owners of Ladbrokes and Coral). While the industries differ, the parallels in legal strategy and allegations of systemic corporate failure are striking.

Similarities in Collective Redress Mechanisms

The core similarity lies in the use of the collective action mechanism. Just as the Google claim grouped millions of iPhone users, current gambling claims aim to represent thousands, or even hundreds of thousands, of problem gamblers who allege they were failed by the same operator. Both types of claims allege a widespread, systemic practice—be it unlawful data processing or a failure in social responsibility and customer due diligence—that affected a large, identifiable class of people. The Supreme Court’s green light for the Google action provided the blueprint for these opt-out class actions in the UK.

Contrasts in the Nature of the Claim and Harm Suffered

The fundamental difference is in the nature of the alleged harm. The Google case was about a violation of data privacy and ‘loss of control’ over personal information. The harm, while significant, was largely intangible. In contrast, claims against online casinos allege profound financial, emotional, and psychological harm. They argue that operators breached their licence duties under the Gambling Commission UK regulations by failing to:

• Conduct adequate affordability checks.
• Intervene when signs of problem gambling were evident.
• Prevent excessive, reckless gambling that led to life-altering losses.

Here, the damages sought are for tangible financial loss and significant psychiatric injury, moving beyond data rights into the realm of consumer protection and duty of care.

What Was the Outcome and Its Legacy for UK Consumers?

Following the Supreme Court victory, the Google ‘You Owe Us’ claim did not ultimately proceed to a full trial. After further legal manoeuvring, the claim was not certified to proceed as a representative action under the new procedural rules. However, to view this as a defeat would be to miss its monumental legacy.

The case irrevocably changed the landscape of UK consumer law. It proved that a well-organised collective, backed by consumer champions, could take on one of the world’s most powerful corporations and win a pivotal legal principle in the highest court. Its legacy is twofold:

1. It paved the way for opt-out collective actions: The Supreme Court judgment is now the foundational precedent for all subsequent mass claims, including those against online casinos. It showed the legal system could handle claims on behalf of millions.
2. It influenced regulatory attitudes to redress: The case demonstrated the power of collective litigation to hold digital giants accountable. This has undoubtedly influenced the Gambling Commission UK, which now explicitly states that it expects operators to engage with and facilitate collective redress schemes where widespread consumer harm is identified, rather than forcing individuals to fight alone.

The Google Safari cookie case was the crucial test run for modern UK group actions. It broke the legal ground, proving that collective redress is a powerful tool for challenging systemic corporate misconduct. That same principle is now being vigorously applied in the iGaming sector, offering a route to justice for problem gamblers who believe they were failed by the very operators tasked with protecting them. From tracking cookies to betting stakes, the battle for consumer accountability has found its blueprint.